Customer privacy notice

Manchester Building Society is a trading name of Newcastle Building Society. Whenever you see “we”, “us” or “our” in this Privacy Notice it means Newcastle Building Society and its subsidiaries including Newcastle Financial Advisers Limited (NFAL).

Our Privacy Notice sets out how we use your personal data and how we support your rights under data protection law in the UK. We respect your privacy rights and take our data protection obligations very seriously. Any personal data that we hold about you will be stored and held securely by us.

We collect your personal data when you apply for one of our products, request a service, when you visit our website/app, or communicate with us.  Our Privacy Notice applies to personal data which is supplied by you to us by any means whether via this website, by telephone, by email or letter, or face-to-face with our branch staff. It also applies to your personal data that we receive from others, such as your mortgage intermediary, financial advisers, credit reference agencies, or any joint account holders. 

It is important that you revisit our Privacy Notice regularly, as we may change the content to reflect how we deliver our products and services.  A full copy of our Privacy Notice can be found via the links below, which provides more information about how we collect and process your personal data.

We collect personal data about visitors to our website and branches, callers to our telephone service, and our applicants and customers. We collect the following categories or personal data about you:

• Personal details which you provide to us – for example, when applying for one of our products or services or a product or service of one of our trusted third-party providers, including name, date of birth, address history and contact information.
• Identification documents including passport, drivers’ licence and other proof of address documents which you provide us with when applying for a product or service with us.
• Communications between you and us.
• Details of meetings or calls (or recordings of calls) you may have with us – including where you enquire about, apply for, administer or discuss one of our products and services.
• Contractual details, including the products and services provided where you are or have been a customer with us.
• Your membership details if you are a member of the Newcastle Building Society, including details of whether you have voted in our AGM (but not details of your vote).
• Your security information (including usernames, PIN numbers, passwords, answers to secret questions) used to keep information relating to your account safe and secure.
• Financial information, including transaction history, account details, balances, payee information, payer information, credit history where you are a savings or mortgage customer, relating to current products and services or products and services you previously held with us. 
• Income and credit history. For example, we may ask for copies of employment contracts, self-assessed tax returns, accounts, payslips and P60 forms, proof of pension provision, gifted deposit details and consent to let forms when you are applying for a mortgage with us.
• Property ownership information if you are a mortgage customer.
• Details of any customer service issues, or complaints that you might make to us.
• Family and lifestyle details, which we may ask for as part of your application for life cover if you are an NFAL customer.
• Details of the device being used where you access our services online but not details of who is using it.
• User activity details and user preferences at trend level, (i.e. which pages on our site are being visited and how long they are being viewed for), but we cannot personally identify you.
• The website which you were referred to us by. 
• Location details at trend level (i.e. which location you might be visiting our website from, but this is not necessarily accurate as it may come from server or data centres, and we would not be able to identify you). 
• Electronic identification data including IP address and information collected through cookies – please see our Cookies Policy for further information on how we use cookies and other similar technologies.

Sensitive personal data and criminal conviction data

We also collect certain sensitive types of personal data (which are known as special categories of personal data or criminal conviction data). This would include:

• Information we ask for as part of your application such as criminal or health issues that may affect our ability to offer third party insurance products.
• Information you provide for accessibility requirements.
• Information you provide which is necessary for us to record so that we can make appropriate adjustments for you in relation to the administration of our products and services. For example, if you request copies of documentation in large print, or in braille.
• Information that we may hold by virtue of your communications with us or your transaction history which may reveal sensitive information about you or others.

We collect personal data from you, from others about you, and from your use of our products and services, as set out below.

Personal data supplied by you.

We collect personal data from you such as:

• When you enquire about or apply for our products and services.
• When you apply for third party products and services via us.
• When you arrange an appointment with an NFAL adviser via us.
• When you talk to us on the phone or in branch.
• When you use our website.
• In emails and letters to us.
• When you communicate with us via social media.
• When you vote in the AGM.
• In financial reviews and interviews.
• In customer surveys.
• If you attend a seminar.
• If you take part in our competitions or promotions.
• If you make an enquiry or a complaint.
• When you visit a branch or one of our offices if CCTV is in operation.
• When you engage with any AI-based services we provide, such as chatbots.

Personal data supplied by others.

We collect personal data about you from others, such as:

• Mortgage intermediaries, and other intermediaries who introduce you to us.
• Any company, partnership, corporation or business that applies for our products or services or a product or service of one of our trusted third-party providers.
• Any professional instructed by you such as your solicitor, conveyancer or financial adviser.
• The solicitor or conveyancer of the other party to any transaction we are involved in.
• Your trustees.
• Any claims management company instructed by you.
• Your next of kin or power of attorney.
• Credit reference agencies.
• Insurers.
• Comparison websites.
• Social media sites (e.g. if you like or comment on our Facebook page).
• Fraud prevention agencies.
• Land agents.
• Public information sources such as Companies House, the Land Registry, the Electoral Register, the Insolvency Service or register of County Court Judgments.
• Loyalty scheme operators.
• Agents working on our behalf.
• Law of Property Act Receivers working on your behalf.
• Market researchers.
• Government and law enforcement agencies.

Personal data generated through your use of our products and services.

We collect information about you when you use our services. This is also your personal data. This includes:

Payment and transaction data, including amounts, frequency, date and time, location, the person or business making or receiving the payment.

What if you choose not to give us your personal data?

• We may need to collect personal data by law (for example, to identify who you are), or under the terms of a contract we have with you (for example, your contact details).
• If you choose not to give us this information, it may delay or prevent us from providing our services to you or it could mean that we cancel a product or service you have with us.

What happens with personal data you provide about joint account holders, or family members, or others?

If you provide personal data on behalf of a joint applicant or joint account holder, or personal data about any other person, you must ensure that you have their permission to do so and they are happy for us to process their personal data as necessary to manage your accounts or comply with your requests. For example:

• We may search, link and record information about joint account holders or joint mortgage applicants at credit reference agencies.
• We may contact your advisers (such as your solicitor or mortgage intermediary) using the details you have given us.
• We administer your account on the instructions of a third party where you have given them authority to do so, for example if they are a power of attorney.

We process your personal data for many different purposes. Data protection law only allows us to use your personal data if we have a lawful reason. We have explained these purposes and the lawful reasons that we rely on to carry out that processing under data protection law below:

Processing of your personal data to perform a contract with you

We process your personal data where we need to use the information so that we can perform a contract we have entered into with you or decide whether to enter into a contract with you. For example, this includes:

• Carrying out application processes.
• Making a decision about your application.
• Opening or closing your account(s).
• Providing our products and services to you.
• Managing our relationship with you.
• Handling service requests or complaints.
• Recovering debts from you and collecting payments from you.
• Making and receiving payments on your behalf.
• Dealing with other banks or merchants on your behalf. For example, where you have disputed a transaction.
• Providing mortgage redemption statements to you or your solicitor / acting conveyancer upon request.
• Where you have asked us to execute a transaction from your account, we may use the payment information (account/payee details) provided by you. By agreeing to us opening and operating an account for you, you agree to the payment information (account/payee details) provided by you being used to execute payment transactions from your account.

Processing of your personal data where we must comply with legal and regulatory obligations.

We are required to process your personal data where it is necessary for compliance with legal and regulatory obligations that we are subject to. For example, this includes:

• Keeping accurate and up-to-date records, contact details and records of contractual and statutory rights.
• To detect, investigate, report and prevent financial crime.
• To adhere to laws and regulations which apply to us.
• Retaining information for a specified amount of time.
• To run our business in an efficient manner, including audit, corporate governance, risk and financial management, planning and business capability.
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.

Processing of your personal data where you have consented to that processing.

We process your personal data in certain circumstances where you have given your consent. For example, this includes:

• Providing you with information about our special offers, products and services that we feel may be of interest and benefit to you (unless you inform us that you do not want to receive such direct marketing).
• If you have provided sensitive personal data (also known as special categories of personal data) which we have recorded so that we can make appropriate adjustments for you in relation to the administration of our products and services.
• Where you have consented to share your details with journalists as part of a case study, we will share your basic information and contact details with journalists for them to contact you about publishing an article about your experience. To find out more, please visit www.newcastle.co.uk/media-centre/tell-us-your-story.

Processing of your personal data where we have a legitimate interest to do so.

We process your personal data for various purposes where we believe we have a legitimate interest, and we have balanced this against your rights as an individual.  For example, this includes:

• Using third party account details to execute transactions from your account, which you ask us to make.
• To monitor your use of our services and systems to ensure they are functioning correctly and efficiently.
• To monitor, develop and improve our services to ensure the correct customer outcomes are being achieved and for training and quality purposes. For example, we may conduct customer surveys, monitor underwriting decisions, record and review calls, review complaints and perform user / optimisation testing.
• To prevent and detect fraud, money laundering and other crime. This may include checking your location when you use a mobile device to help prevent fraud.
• Recovering debts from third parties.
• Business management and planning, including accounting, risk reporting and auditing to ensure our business is run efficiently and in accordance with best practices.
• To conduct data analytics studies to review and better understand our customers and how our products and services are delivered.
• Dealing with legal disputes.

How do we use your sensitive personal data?

Some of your personal data which we hold will be sensitive personal data (or what is known as special categories of personal data) or criminal conviction data. We will use your sensitive personal data and/or criminal conviction data in the following ways:

• Where we have your explicit consent. For example, to enable us to make necessary and appropriate adjustments for you in the administration of our products and services.
• Where we need to process the information in relation to legal claims.
• Where it is necessary to safeguard your economic wellbeing. 
• Where the processing is necessary in the substantial public interest. For example, to prevent or detect unlawful or fraudulent acts.
• To protect your or another person’s vital interests. We will process your personal data in very limited circumstances where we feel you or another individual may be at serious risk (for example, life or death circumstances) and no other lawful basis can be relied upon in the circumstances.

What happens if the purposes for processing change?

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or incompatible purpose, we will notify you and we will explain the lawful reason which allows us to do so.

How do we use your personal data for fraud prevention?

We want to protect our customers and our business from financial crime and therefore maintains systems and controls in relation to anti-money laundering, fraud and terrorist financing.

The personal data which you provide in your applications for products and services will be checked against a national fraud detection system and your identity will be checked and confirmed, including if you are acting as a power of attorney.

In certain circumstances your details could be shared with other lenders or crime prevention agencies or law enforcement agencies to assist in the prevention of financial crime.

The Money Laundering Regulations require us to take appropriate steps to identify and assess the risks of money laundering and terrorist financing.  We are obliged to ensure that we have adequate policies, controls and procedures in place to prevent money laundering and detect fraud.

How do we use your personal data for credit checks and identity checks?

When you apply for a mortgage or savings account with us, we use a third-party identification system which allows us to automatically run a check of your personal data, including your name, address and date of birth, against several databases to produce a score.

If the score is a pass, then the application will progress.  If it does not attract a pass score, then we will ask you to provide additional identification and verification documentation.

Please contact us if you would like to understand how we produce your score, and the impact it may have on you.

How do we use your personal data obtained via CCTV monitoring?

We have 24/7 CCTV surveillance in operation in our branches and outside of our offices (including in our ‘Community Rooms’).  We have a legitimate interest to operate CCTV surveillance to ensure the safety of our staff and customers, the security of our premises and to prevent and assist with the investigation of crime.

We record video images of the premises which may include public areas outside of our premises. From those images we may be able to imply information which reveals special category data, but we will not use the data for any purpose than the purpose stated above.

The CCTV images are recorded for one month at which point the disc automatically overwrites.

Please see our CCTV Privacy Notice for more information about how CCTV footage is used.

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

• Where we are required to make a decision by law, and we have notified you that a decision has been based on automated processing and given you 21 days to request a reconsideration or that a new decision is taken not based solely on automated processing.
• Where it is necessary to perform a contract with you and appropriate measures are in place to safeguard your rights.
• In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
• If we make an automated decision on the basis of any particularly sensitive personal data, we must have your explicit written consent, and we must also put in place appropriate measures to safeguard your rights.

We use profiling and automated decision-making processes including:

• To complete credit checks where you apply for mortgages or loans, so we can assess credit risk.
• To complete our identification process when you apply for a mortgage or open an account with us, as part of our money laundering and fraud prevention requirements.
• To tailor marketing we send you, so it is relevant to you.

The personal data we hold about you is confidential. We will only disclose it outside the Society when:

• We are required to share it with a third party product provider to take steps as requested by you prior to you entering into a contract with them – for example, if you are a customer, and you wish to purchase products or services from NFAL or any other external product provider, and you would like us to provide your details to them.
• We use a supplier to provide services which support our products and services which we provide to you. In this case, we remain responsible for your personal data.
• We or others need to investigate or prevent crime (e.g. to fraud prevention or law enforcement agencies). 
• We need to carry out credit checks when you are applying for a mortgage and we may continue to share information with credit reference agencies for as long as you are a customer, including details about your settled accounts or any debts not repaid on time, your account balances and repayments.  Credit reference agencies (CRAs) will give us information about you such as your financial history.   We use this information to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.experian.co.uk/crain.
• We need to share your personal data with third parties to protect your or another person’s vital interests or safeguard your economic wellbeing, for example if a referral to social services is required for a vulnerable customer.
• The law permits or requires it, or any other regulatory body requires it, even without your consent. For example, HM Revenue and Customs, or other authorities or regulatory bodies.
• There is a duty to the public to reveal the information.
• As we do not currently provide payment accounts, your accounts held with us are not accessible to Account Information Service Providers (AISPs) or Payment Initiation Service Providers (PISPs). However, we are an active participant of the Credit Payment Recovery Scheme and will seek to cooperate fully with requests for payment information from fellow Payment Service Providers (PSPs) who are members of this scheme. This approach is aligned to the regulatory requirement for PSPs to cooperate with each other in efforts to trace and recover unauthorised or incorrectly executed payment transactions. Where we receive a request for information from another Payment Service Provider in relation to a payment to or from your account with us, we will inform you of this request and our arrangements and timeline for response.

 Businesses which provide services directly to you

• We introduce our customers to various third-party businesses so that they can provide their products and services to you. We will always inform you before we share your personal data with these businesses, and we require them to respect the security of your data and treat any such disclosures in accordance with the applicable data protection legislation. 
• You can find out more about our third-party product providers by visiting our website and clicking on the “Financial Planning” or “Insurance” sections or by contacting us using the contact information set out in the “How do you contact us about your personal data?” section of this Privacy Notice.

Businesses which support us in providing services to you

We operate a complex yet robust and secure range of services. To deliver our services efficiently, we use various suppliers. All our suppliers and other entities in our corporate group acting which process personal data on our behalf are required to take appropriate security measures to protect your personal data. We do not allow them to use your personal data for their own purposes such as marketing. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

These include:

• Newcastle Strategic Solutions Limited (a subsidiary of Newcastle Building Society), which provides savings management solutions and information systems and support to us.
• Our subsidiary company, Newcastle Financial Advisers Limited (NFAL), which provides financial advice services upon your request.
• Mailing and print houses.
• Research and data analytics providers.
• Credit reference agencies and identity checking systems.
• Corporate insurance providers.
• Data centres, including Cloud Service Providers.
• Customer survey partners. Where you consent for us to do so we may use any feedback provided, on an anonymised basis, in our marketing communications/literature.

 Others that we may provide your personal data to

• We may share your personal data where we are required to by law, or where we have a legitimate interest. For example, we may report suspicions of money laundering to the National Crime Agency or Action Fraud.  We may also be required to support law enforcement agencies in their investigations. We may not be able to inform you of this in advance.
• We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.
• We may share your personal data with regulatory bodies or ombudsman services or to otherwise comply with the law.

Newcastle Financial Advisers Limited

• NFAL may provide you with financial advice services upon your request.  This will always be arranged by introduction from us, and it will be made clear to you when you are dealing with NFAL. 
• NFAL is an appointed representative of the Openwork Limited network of financial advisers and when you enter into a relationship with NFAL, you will also enter into a relationship with Openwork and will be provided with a copy of the Openwork terms and privacy policy at that time.
• Your personal data will be recorded on both Newcastle Building Society and Openwork systems.  When you advise your NFAL adviser of any changes to your personal data, these changes will be reflected across both organisations’ systems. This is to ensure our records are accurate and up-to-date and enables Newcastle Building Society staff to assist you with any queries. This data may also be used for collating management information for business reporting purposes.
• If you have given us your consent to receive marketing communications from us about our own products, or NFAL’s, then your personal data may be used for marketing purposes. It will never be shared with other organisations for marketing purposes. You can withdraw this consent at any time.
• We also use a third-party provider called VouchedFor to collect customer reviews on NFAL’s advisers. As such, we may share your personal data with VouchedFor so you can leave a review on their website. We will only invite you to do this if you have given us your consent to do so. VouchedFor will process your data in accordance with their privacy policy which can be found here on VouchedFor’s website. 

• We may transfer your personal data to third parties outside the UK in very limited situations.
• Whenever we need to transfer your personal data out of the UK, we ensure that your personal data receives an adequate level of protection by ensuring that one of the following safeguards is in place:
  • the country to which your personal data is transferred has been deemed by the UK to provide an adequate level of protection for personal data; or
  • we put in place the appropriate contractual clauses approved for use in the UK to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects UK laws on data protection.
• If you require further information about this, you can request it from the DPO using the contact details at the “How do you contact us about your personal data?” section below.

• We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
• We keep your personal data, which is necessary for providing your products and services, for as long as you have a relationship with us.  When that relationship ends, we keep your customer profile personal data for as long as necessary to enable us to either fulfil our legal obligations or to enable it to deal with any potential claims.
• We may continue to process your personal data when you have never had a relationship with us (for example, if you’ve had an unsuccessful mortgage application, we may continue to process your personal data to better understand our decision-making process to ensure we lend responsibly).
• Where we collect personal data via the use of CCTV, the CCTV images are recorded for one month, at which point the disc automatically overwrites.
• After you have closed all your accounts, we will keep your account specific personal data for as long as necessary so that we can deal with any contractual claims.  
• Details of periods of time for which we keep other aspects of your personal data are available in our data retention policy which is available from the DPO upon request by using the contact details at the “How do you contact us about your personal data?” section below.
• Just so you know: Sometimes, due to legal and regulatory obligations, or for technical reasons, we will need to keep your personal information for longer periods of time than set out above. For instance, when completing modelling and statistical analysis for our mandatory reporting requirements.
• In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your duty to inform us of changes.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Your rights in connection with personal data

Under certain circumstances, by data protection law in the UK you have the right to:

Contact us to exercise your rights.

• If you want to make a request in relation to these rights, you can contact us at Principal Office, 1 Cobalt Park Way, Wallsend, NE28 9EJ, visit your local branch, or call us on 0345 604 0050. Alternatively, please see the “How do you contact us about your personal data?” section of this Privacy Notice.
• Unless it proves impossible or involves disproportionate effort, we will notify others with whom we have shared your data of your request to rectify, erase or restrict the processing of your personal data, if we are required to comply with your request.

No fee usually required.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive (e.g. repeated requests for the same information), or if you ask for further copies of the information. We may also refuse to comply with the request in those circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure you have the right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also need to ask you to clarify your request.

• Where you have given your consent to receive marketing from us, we may use your personal details to identify products and services which may be of interest to you. Depending on your chosen contact methods, we may contact you by letter, telephone or email. 
• This includes informing you of products and services of our commercial partners which can be purchased through us. You can say no to us using your data for direct marketing and/or update your contact preferences at any time by contacting us at your local branch, by calling 0345 604 0050 or via your online account (if you have one). Alternatively, please see the “How do you contact us about your personal data?” section of this Privacy Notice.
• We do not pass information on to other companies for their own research, analysis and marketing purposes. We may use external suppliers from time to time to process data on our behalf, for example to print and post mailings, conduct research or for data analysis. 
• We may use this information to help identify more relevant marketing communications, as well as assisting us with analysing customer trends and informing business decisions.

Our website may be linked to or from third party websites. These links are provided as a convenience only. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the content or privacy principles of websites that are linked to or from our website. You should review the privacy policies of any third-party websites you visit.

We may change this Privacy Notice from time to time. If we make any material changes, we will notify you by email sent to the email address specified in your account or your postal address, or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

• If you have a complaint, please tell us about it. We take all complaints seriously and investigate all complaints. You can contact us at 1 Cobalt Park Way, Wallsend, NE28 9EJ, visit your local branch, or call us on 0345 604 0050. Alternatively, please see the “How do you contact us about your personal data?” section of this Privacy Notice.
• You also have the right to submit a complaint to the UK’s Information Commissioner’s Office (ICO) or any other applicable data protection regulator. The ICO’s details are as follows:
  • Information Commissioner's Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline number: 0303 123 1113 and ICO website: https://www.ico.org.uk.

• We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact the DPO.
• You can contact the DPO for the Newcastle Building Society Group by sending an email to NBSDPO@newcastle.co.uk
• You can contact the DPO for NFAL by sending an email to NFALDPO@newcastle.co.uk