Privacy notice

RSA is committed to ensuring that your privacy is protected

1. Introduction

Your privacy is important to us and we are committed to keeping it protected. We have created this Privacy Notice which will explain how we use the information we collect about you and how you can exercise your data protection rights in accordance with data protection laws.

2. Who are we?

In this Privacy Notice, references to “we” “us” “our” mean Royal & Sun Alliance Insurance Limited (RSA) a subsidiary of Intact Financial Corporation (Intact). We provide commercial and consumer insurance products and services under a number of brands, such as NIG and FarmWeb. We also provide insurance services in partnership with other companies.

3. What information do we collect about you?

The personal information we hold about you will often come directly from you when taking out a product or making a claim. This information may include the following:

  • Your personal details (for example, your name, date of birth and gender)
  • Your contact details (for example, your postal address, phone number and email address)
  • Payment/financial details (for example, direct debit or card payments)
  • Information about motoring offences and criminal convictions
  • Information relating to your health (for example, highlighting conditions which relate to your ability to drive or when making a claim for personal injury)
  • Details about the items you wish to be covered by the insurance (e.g. car make and model, your home, etc).
  • Information from your digital devices, such as IP address, where the device is located (for example the UK), use of websites (usually via cookies), the type of device being used, operating system and how you interact with us
  • Personal information that may be provided to us as necessary in order to allow us to administer a contract of insurance, including the handling of claims.

In submitting an application to us, you may provide us with equivalent or substantially similar information relating to other proposed beneficiaries under the policy, such as (but not limited to) family members, joint policy holders, and (where relevant to our products and services) directors, shareholders, tenants, employees, customers etc. You agree that you will bring this Privacy Notice to the attention of each beneficiary at the earliest possible opportunity, as it details how their information will be used by us.

If you need to claim against your insurance policy, we will need to collect information about the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them which can include special categories of personal data (e.g. injury and health data). We may also need to share information about you with the representatives of other people involved in an accident with you to administer their claim, or to commence recovery action against them on your behalf.

4. Where do we collect information we hold about you?

Where possible, we’ll collect your personal information directly from you. However, on occasion we may collect or receive details about you from other people or companies. For example:

  • Joint policy holders
  • Insurance brokers
  • Where an individual or a company has applied for an insurance product on your behalf (e.g. a family member or an employee)
  • It was supplied to us when you purchased an insurance product or service that is provided by us in partnership with other companies
  • Credit reference agencies who provide information, including but not limited to credit data and electoral role information
  • DVLA
  • Insurance related sources (e.g. Motor Insurance Database, Claims and Underwriting Exchange and fraud prevention databases).
  • Organisations which assist with claims handling, for example suppliers or medical professionals and hospitals
  • Publicly available sources, such as social media profiles, media stories and online registers
  • Third party organisations who provide information for marketing purposes
  • Data Brokers and/or similar third party organisations, who collate data and personal data for organisations. Where this data is obtained by RSA, we will ensure that the data has been collected in compliance with relevant legislation

We request those third parties providing us with information to comply with data protection laws and act in a transparent manner in respect of any such disclosures.

We may record telephone calls with you for the following purposes including but not limited to:

  • maintain an accurate record of our conversation in respect of a dispute, or an enquiry from our regulators;
  • check for mistakes and to train staff;
  • prevent, detect, investigate and prosecute fraud and financial crime; and
  • for use in the exercise, establishment and defence of a legal claim.

Sometimes, calls may not be recorded if:

  • there’s a technical fault with the telephony system;
  • a call handler is using equipment which does not let calls be recorded; or
  • you’ve been transferred to a different line.

6. Data analytics

We use your personal data, together with personal data of other customers, potential customers and other third parties as set out in section 4 of this Privacy Notice to conduct analysis which allows us to:

  • Understand our customers and the products and services that interest them;
  • Identify customers displaying characteristics which require additional support from us;
  • Develop more sophisticated pricing models;
  • Develop new products and services and improving our processes;
  • Improve the way our artificial intelligence, machine learning and statistical modelling tools work;
  • Predict the likely occurrence of an insured event;
  • Predict claims volumes; and
  • Detect and prevent fraud and financial crime.

Prior to using your personal data we carry out checks to ensure that the use of your personal data is compliant with the law and that it will not inadvertently create outcomes that are unlawful or unfairly biased. We will also test the data available to us using statistical modelling techniques and processes to ensure that we only use data that will provide us with meaningful insight for the purposes listed, but not limited to, above.

7. Who will we share your personal information with?

We will keep your personal information confidential at all times and only process it in accordance with this Privacy Notice. We will share your information with our employees and contractors for the purpose of providing our service to you and for exercising our legitimate interests.

We do not disclose your information outside of RSA or the Intact Group except:

  • Where we need to check the information you gave to us with a third party organisation before we can offer you an insurance product (e.g. credit reference agencies);
  • Where we are required or permitted to do so by law or relevant regulatory authority (e.g. financial crime/sanction screening, fraud detection/prevention);
  • In the event that we may be taken over, transfer, or sell any business or assets, in which case we will disclose your personal information to the prospective buyer of such business or assets. They will only be able to use the data for the same purposes for which it was originally provided;
  • As required to enforce the contract of insurance itself;
  • As required in order to give effect to contractual arrangements we have in place with any insurance broker and/or intermediary through which you have arranged this policy including where we provide insurance services in partnership with other companies (e.g. building societies, retailers);
  • With healthcare providers in the context of any relevant claim being made against your policy;
  • If we appoint a third party to process and settle claims under the policy on our behalf, in which case we will make your personal information available to them for the purposes of processing and settling such claims;
  • With our third party service/assistance providers (including hosting/storage providers, research agencies, technology suppliers, language translation service providers, etc.);
  • With our reinsurers (and brokers of reinsurers) in connection with the normal operation of our business;
  • With our claims suppliers (including vehicle repairers, loss adjustors, etc.) for the purpose of providing you with claims services pursuant to the contract of insurance;
  • With various fraud prevention databases for the purposes of fraud detection and prevention;
  • With third parties such as data brokers who will use this to provide us with additional data for analytical purposes as set out in section 6 of this Privacy Notice.
  • Your advisors (such as lawyers or professional advisors), who you have given authority for us to share your personal information with or given authorisation to deal with us directly for example a power of attorney;
  • Social media companies (in a secure format) so they can display messages to you about our products and services, or to make sure you do not get irrelevant messages (for example, we will we not show messages about products / services you already have);
  • We work in partnership with the Motor Insurers’ Bureau (MIB) and associated not-for-profit companies who provide several services on behalf of the insurance industry. At every stage of your insurance journey, the MIB will be processing your personal information and more details about this can be found via their website: mib.org.uk. Set out below are brief details of the sorts of activity the MIB undertake:
    • Checking your driving licence number against the DVLA driver database to obtain driving licence data (including driving conviction data) to help calculate your insurance quote and prevent fraud

    • Checking your ‘No Claims Bonus’ entitlement and claims history

    • Prevent, detect and investigate fraud and other crime, including, by carrying out fraud checks

    • Maintaining databases of:

      • Insured vehicles (Motor Insurance & Policy Data or Motor Insurance Database)
      • Vehicles which are stolen or not legally permitted on the road (Vehicle Salvage & Theft Data or MIAFTR)
      • Motor, personal injury and home claims (CUE)
      • Employers’ Liability Insurance Policies (Employers’ Liability Database)
  • Managing insurance claims relating to untraced and uninsured drivers in the UK and abroad

  • Working with law enforcement to prevent uninsured vehicles being used on the roads

  • Supporting insurance claims processes

Sometimes your personal information may be sent to other parties outside of the UK and the European Economic Area (EEA) in connection with the purposes set out above. We will take all reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the standard contractual clauses approved by the European Commission and the UK Information Commissioner’s Office. If you would like further information please contact us.

8. Which decisions made about you will be automated?

Before we can offer you an insurance product or service, we may need to conduct the following activities, which involve automated (computer based) decision-making:

  • Pricing and Underwriting – this process calculates the insurance risks based on the information that you have supplied. This will be used to calculate the premium you will have to pay. Please refer to section 6 for more information on how we use data analytics.
  • Credit Referencing – using the information given, calculations are performed to evaluate your credit rating. This rating will help us to evaluate your ability to pay for the quoted products and services. These calculations can take place at any stage of a quote, a policy renewal or in certain circumstances where a mid-term amendment to your agreement is requested.
  • Automated Claims – some small claims may qualify for automated processing, which will check the information you provide, resulting in a settlement or rejection of your claim.

The results of these automated decision-making processes are only allowed where we have a legal reason, as they may limit the products and services we can offer you.

If you do not agree with the result, you have the right to request that we perform a manual reassessment using the same information that you originally provided. If you wish to do so, please contact us.

9. How long will we keep your information?

We will retain your personal information for as long as we have a relationship with you. Once our relationship has ended (for example, your policy has expired, your application is declined or you do not go ahead with a quotation) we will only retain your personal data for as long as is necessary to satisfy any legal, accounting or reporting obligations, or as necessary to resolve disputes.

To assist with the determination of the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal information for and whether we can achieve those purposes through other means.

In addition, your personal information will be retained under one or more of the following:

  • To maintain business records for analysis, auditing or for a limited period of time, using some of your personal information to improve the products or services we provide.
  • For as long as your personal information is required to allow us to conduct fraud and/or criminal checks and investigations.
  • To deal with any future complaints about the products and services we provide
  • For as long as is required by statutory authorities to meet our obligations for accounting, legal, tax and regulatory purposes.
  • For as long as is required to defend or take legal action.

In general, we will retain your personal information for a period of 7 years from the date of cancellation of your contract of insurance or the closure/settlement of your claim. There may be some reasons why we need to retain your personal information for longer periods, for example in the case of employer’s and public liability insurance and subsidence matters.

10. Will you be contacted for marketing purposes?

We will only contact you for marketing purposes if you have previously agreed. This could be via any channel we hold contact information for you. Where that’s the case:

  • We will let you know about offers and services we think you’ll like and any special offers available to you as an existing customer. Where appropriate these messages may be personalised using information you have previously provided us.
  • We will only contact you for marketing purposes if we collected your information directly or when authorised and instructed by a third-party acting on your behalf.
  • We may use the information which we collect about you to show you relevant advertising on third-party websites (e.g. Facebook or Google). This could involve showing you an advertising message where through the use of cookies, we know you have browsed our products and services. If you don’t want to be shown targeted online advertising messages from us, you can change the advertising setting on some third-party sites and some browsers to block our adverts.
  • In some circumstances we may share some of your information (in a secure format) with social media companies so that they can match this to information they already hold to display messages to you about our products and services.

You can ask us at any point to stop sending you marketing, and request that your personal information is not processed for the purposes of marketing.

11. What are your rights over the information that is held by us?

We understand that your personal information is important to you, therefore, in accordance with your rights under data protection laws, you may request that we:

1. Provide a copy of the personal information we hold about you. This is known as the right of subject access and is an entitlement to a copy of the information only, you are not entitled to documents.

2. Delete your personal information. This is known as the right of erasure. Please note, we may not be able to comply with this request in full where, for example, you are still insured with us and the information is required to fulfil the conditions of the insurance contract.

3. Give you (or a third party) an electronic copy of the personal information you have given us. This is known as the right of data portability. We would provide the information in a commonly used electronic format.

4. Restrict how we use your personal information under the following circumstances:

a. If you believe that the information we hold about you is inaccurate, or;

b. If you believe that our processing activities are unlawful but you do not want your information to be deleted.

c. Where we no longer need to use your information for the purposes set out in this Privacy Notice, but it is required for the establishment, exercise or defence of a legal claim.

d. Where you have made an objection to us (in accordance with point 5 below), pending the outcome of any assessment we make regarding your objection.

5. Enable you to object to the ways in which we are using your personal information, under the following circumstances

a. Where we believe it is in the public interest to use your information in a particular way, but you disagree.

b. Where we have told you we are using your data for our legitimate business interests and you believe we shouldn’t be (e.g. you were in the background of a promotional video but you did not agree to be in it).

For points a and b above, we will stop using your information unless we can reasonably demonstrate legitimate grounds for continuing to use it in the manner you are objecting to.

6. Correct any personal information we hold. Please contact us if any information is incorrect, or any of your personal information has changed.

For certain limited uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to process your insurance if you withdraw your consent.

If you would like to request any of the above, please contact us via our email address datasubjectrights@uk.rsagroup.com or write to us at:

The Data Protection Officer 
RSA 
Northgate House
Halifax 
HX1 1UN

To ensure that we do not disclose your personal information to someone who is not entitled to it, when you are making the request we may ask you to provide us with:

  • Your name;
  • Address(es);
  • Date of birth;
  • Any policy IDs, claim numbers, or reference numbers that you have along with;
  • A copy of your photo identification, such as your photocard driving licence or passport; and
  • A copy of a utility bill showing your name and address dated within 3 months of your request.

If you appoint a third party to act on your behalf, for example, a friend or a solicitor, we will ask them to provide your signed authority for them to act on your behalf AND the identity information and documents listed above.

All rights requests are free of charge, although in exceptional circumstances for certain rights, such as access, we reserve the right to charge a reasonable administrative fee.

Wherever possible, we will respond within one month from receipt of the request, but if we don’t, we will notify you of anticipated timelines ahead of the one month deadline together with brief explanation as to why we are unable to respond within the initial one month deadline. Please note that simply submitting a request doesn’t necessarily mean we will be able to fulfil it in full on every occasion – we are sometimes bound by law which can prevent us fulfilling some requests in their entirety, but when this is the case we will explain this to you in our response.

12. Cookies

Cookies and similar technologies are small text files that are placed on your device (computer, mobile phone or tablet) when you visit a website, use an app or they can be included within emails.

We use cookies for many different functions such as:

  1. Collecting information to help us to distinguish visitors, to understand visitors’ browsing habits on our website and to improve their experience.
  2. Compile statistical reports on website activity e.g. numbers of visitors and the pages they visit.
  3. Collect information that will allow us to tailor advertising to make it more relevant for you, based on your previous interactions with our website.
  4. Remember information about you when you visit our site. Some of the cookies are essential in order to provide our services to you.

For more information on our cookie use visit https://www.rsainsurance.co.uk/cookies-policy/ or for more general information about cookies visit http://www.allaboutcookies.org

13. Our Privacy Notice

If you have any queries regarding our Privacy Notice, please contact us at the address below and we will be happy to discuss any query with you. Our Privacy Notice will be updated from time to time, so please check it each time you submit personal information to us or renew your insurance policy.

The Data Protection Officer 
RSA 
Northgate House
Halifax 
HX1 1UN

You may also email us at privacy@uk.rsagroup.com.

14. How you can make a complaint

If you wish to raise a complaint on how we have handled your personal information, please send an email to our Customer Relations Team using their email address crt.halifax@uk.rsagroup.com or write to us using the address below


RSA
Customer Relations Team
PO BOX 255
Wymondham
NR18 8DP

If you are dissatisfied with our response to your complaint, you have the right to refer your complaint to the Information Commissioner’s Office. You can do this by accessing their website https://ico.org.uk/ or by calling their helpline on 0303 123 1113, or writing to them at the address below. You also have the right to seek a judicial remedy.


Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You also have the right to contact the Financial Ombudsman Service, free of charge, but you must do so within six months of the date of our decision letter. If you do not refer your complaint in time, the Ombudsman will not have our permission to consider your complaint and so will only be able to do so in very limited circumstances. For example, if the Ombudsman believes that the delay was as a result of exceptional circumstances.

15. Representatives

The General Data Protection Regulation (GDPR) requires organisations that are not established in the European Union (EU) to designate a representative in the EU if they are subject to the GDPR for example offering products or services to EU citizens.

RSA and Intact may undertake processing activities to which the GDPR applies, for this reason we have appointed Representatives to act on our behalf.

Our EU Representative

RSA does not have an establishment in the European Union, therefore we have appointed a local representative based in Luxembourg who you may address any issues and/or queries you may have relating to our processing of your personal data and/or this Privacy Notice more generally.  Our EU representative will also deal with data subject rights requests for EU citizens and enquiries by EU supervisory authorities on our behalf.

Our EU representative is RSA Luxembourg S.A.  Our EU representative can be contacted directly by emailing them at the following address rsa.dp@eu.rsagroup.com

However, please do not use the above email address for any data protection queries relating to UK policies or claims, queries relating to UK data protection matters should be referred to us at privacy@uk.rsagroup.com and not to our EU Representative.

Intact UK and EU Data Representatives

Intact does not have an establishment in the United Kingdom (UK) or the EU, therefore have appointed local representatives who you may address any issues and/or queries you may have relating to their processing of your personal data and/or this Privacy Notice more generally.  The representatives will also deal with data subject rights requests for UK and EU citizens and enquiries by UK and EU supervisory authorities on Intact’s behalf.

Intact’s UK representative is Royal & Sun Alliance Insurance Limited. The UK representative can be contacted directly using the contact details at the bottom of this Privacy Notice

Intact’s EU representative is RSA Luxembourg S.A. The EU representative can be contacted directly by emailing them at the following address rsa.dp@eu.rsagroup.com.