We are responsible for ensuring compliance with the laws relating to data protection and meeting the regulator’s expectations with regard to information security. We collect information about you in order to deliver our services and for other reasons. In doing so, we take your privacy and our obligations very seriously.
In some cases, in order to comply with our legal obligations and applicable regulatory requirements, we will obtain your consent to the use of your personal information.
If you provide us with any information which constitutes “personal data” (including any “sensitive personal data”), both you and we will treat such information at all times in accordance with “Data Privacy Laws” (statutes, laws, secondary legislation and regulations pertaining to privacy, confidentiality and or data protection of personal data or corporate data, including (but not limited to) the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI2003/2426), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)), E-Privacy Regulation, General Data Protection Regulation ((EU) 2016/679)) and any relevant national laws implementing Directives 95/46/EC, 2002/58/EC, 97/66/EC or General Data Protection Regulation ((EU) 2016/679))). SCR/Miller companies may hold and process such information: (i) in order to provide our services to you; (ii) to facilitate the effective management, development or operation of the SCR/Miller companies; and (iii) in any country – including countries outside the European Economic Area, which may not have comparable data protection laws.
By submitting your information to us (including a request to receive further information), by registering with our Online Services website and/or by completing an application for a job vacancy, SCR/Miller may use your information in the ways outlined in this privacy notice, including any transfer outside the EEA. You confirm any information given by you is true and complete. You agree that you will not provide any information which constitutes personal data (including any sensitive personal data) to us unless you have ensured that you have obtained all necessary consents and provided any required notices (in particular informing data subjects that their personal data will be anonymised and used for analysis purposes), or that you are otherwise permitted to provide such information to us, so that such information you provide to us can be lawfully used or disclosed in the manner and for the purposes set out in this notice. You will also ensure that any such information you do provide to us is relevant for such purposes, and is reliable for its intended use, accurate, complete and current.
Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers.The London Insurance Market Core Uses Information Notice (which is available at http://www.lmalloyds.com/GDPR) sets out those core necessary personal data uses and disclosures. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice. We recommend you review this notice
We will at all times treat all confidential information we hold about you as private and confidential and protect it in the same way we would protect our own confidential information. We may disclose your personal data in the following circumstances:
(a) in the normal course of negotiating, maintaining or renewing your insurance policies;
(b) to the extent we are required to do so by law or a regulator;
(c) to insurers, surveyors, loss adjustors, IT service providers, administrative support service providers, and other like persons to the extent necessary to provide our services to you in a timely manner;
(d) to loss assessors, lawyers, and other like persons to the extent necessary to enable such third parties to provide information or services you have requested;
(e) to premium finance companies to the extent necessary to enable them to provide you with greater choice in making premium payments; and
(f) to other group companies to the extent necessary to facilitate the effective management, administration, or operation of those businesses.
(a) use any information you provide to create anonymised industry or sector-wide statistics which may be shared with third parties, on the condition that unless we have obtained your consent, information specific to you will not be revealed other than on an anonymised basis and as part of an industry or sector-wide comparison;
(b) share information concerning your insurance arrangement with insurers where this is necessary to enable insurers to decide whether to participate in any arrangement made by SCR/Miller whereby participating insurers agree to automatically insure (wholly or partly) a portfolio of risks by delegating their authority to bind individual risks within such portfolio to the lead insurer or SCR/Miller;
(c) share anonymised information concerning payment or settlement of your insurance claims with third parties to assist our other clients with payment,negotiation and settlement of their claims with the same or different insurers; and
(d) share information about your insurance placements, which may include client names, types of policy, premium and renewal dates, with insurers to enable them to provide and improve their services to you.
In the event that you are required to provide certain elements of information including personal information, contact details and medical/health information, we shall be considered a data controller of such information. We will use the information to deal with your insurance, including:
(a) process your application;
(b) manage our ongoing business relationship and any claim made under the contract of insurance;
(c) undertake statistical analysis, business reporting and marketing purposes;
(d) recover debts and prevent fraud;
(e) comply with applicable law and regulations.
We may sometimes use a credit scoring or other automated decision making system when processing information provided. We may disclose this information to other departments within our group, to advisers, agents, banks, credit reference and fraud prevention agencies or anyone to whom we propose to transfer any of its rights and/or responsibilities under this agreement, each of whom may also use such information in the ways described in this statement.
We may also disclose any information that you provide to:
(a) anyone to whom you authorise us to give such information to; and
(b) comply with any legal or regulatory requirements.
We may also use “cookies” on our websites. These are small pieces of data inserted onto your hard disk by your browser. They cannot however be used to obtain other information from your hard disk. They allow us to give you a more streamlined access to our websites.
SCR/Miller are based in the UK, and keep their main databases there. Sometimes SCR/Miller will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when a processor or client of SCR/Miller is based overseas or uses overseas data centres.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when SCR/Miller does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:
• Sending the data to a country that’s been approved by the European authorities as having a suitably high standard of data protection law.Examples include the Isle of Man, Switzerland and Canada.
• Putting in place a contract with the recipient containing terms approved by the European authorities as providing a suitable level of protection.
• Sending the data to an organisation which is a member of a scheme that’s been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities. Another example is Binding Corporate Rules.
If your data has been sent overseas like this, you can find out more about the safeguards used from SCR/Miller.
From time to time, we may change our privacy notice. We will notify you of changes by posting the revised privacy notice on our website.
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects.
The law calls this the Legitimate Interests condition for personal data processing
The Legitimate Interests being pursued here are:
• Promoting the responsible selection of relevant products.
• Helping prevent and detect crime and fraud and anti-money laundering services and verify identity.
• Supporting tracing and collections.
• Complying with and supporting compliance with legal and regulatory requirements.
SCR/Miller’s use of your personal data is subject to an extensive framework of safeguards that help make sure that people’s rights are protected. These include the information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they’re dissatisfied. These safeguards help sustain a fair and appropriate balance so SCR/Miller’s activities don’t override the interests, fundamental rights and freedoms of data subjects
If, having given your consent to the use of your data, you subsequently change your mind, you can stop all, or particular uses of your data by sending an email to firstname.lastname@example.org.
Individuals have a right to: (i) request personal data held about them is corrected, supplemented, blocked or deleted if the data is factually incorrect, incomplete or irrelevant for the purposes described herein or where it is being processed in a manner which in any way infringes applicable law; and/or (ii) request a copy of the personal data we hold about them. To obtain details of data held by us about you, please write to:
The Data Protection Officer, Miller Insurance Services LLP, 70 Mark Lane, London,EC3R 7NQ.
Your request should make it clear what type of information you are seeking. No fee is payable for such a request. Upon receipt of your request, and where all of our requirements to process such a request have been met in full, we shall respond within one calendar month of receipt.
New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent.
If you think that any personal data SCR/Miller holds about you is wrong or incomplete, you have the right to challenge it. If the data does turn out to be wrong, SCR/Miller will update its records accordingly. If SCR/Miller still believes the data is correct after completing their checks, we will continue to hold and keep it - although you can ask us to add a note to your file indicating that you disagree or providing an explanation of the circumstances.
You have the right to lodge an objection about the processing of your personal data to SCR/Miller. If you want to do this, you should contact SCR/Miller using the contact details set out above.
Whilst you have complete freedom to contact SCR/Miller with your objection at any time, you should know that under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.
In some circumstances, you can ask SCR/Miller to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find our contact details above.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:
• With your consent;
• For the establishment, exercise, or defence of legal claims;
• For the protection of the rights of another natural or legal person;
• For reasons of important public interest.
Only one of these grounds needs to be demonstrated to continue data processing
SCR/Miller will consider and respond to requests it receives, including assessing the applicability of these exemptions.
This section describes the types of recipient SCR/Miller typically shares data with:
Each organisation that shares financial data with the CRAs is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone networks.
If SCR/Miller believes that fraud has been or might be committed, it may share data with fraud prevention agencies (FPAs). These FPAs collect, maintain and share data on known and suspected fraudulent activity. Some CRAs also act as FPAs
SCR/Miller sometimes use other organisations to help provide their services to clients and may provide personal data to them in connection with that purpose
Some data, where permitted in accordance with industry rules or where it is public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.
The police and other law enforcement agencies, as well as public bodies like local and central authorities and SCR/Miller’s regulators, can sometimes request SCR/Miller to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
SCR/Miller may use other organisations to perform tasks on their own behalf (for example, IT service providers and call centre providers).
People are entitled to obtain copies of the personal data SCR/Miller holds about them.
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.
Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for six years from the date of the default
Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But, they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.
Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years
Although the start of these events is automatically reported to SCR/Miller, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. This is why people are advised to contact SCR/Miller when this happens to make sure their files are updated accordingly
SCR/Miller keeps most search footprints for one year from the date of the search, although it keeps debt collection searches for up to two years.
SCR/Miller may keep credit scores and credit ratings for as long as they keep a file about the relevant person.
SCR/Miller also create data, and links and matches between data. For example, Miller keep address links and aliases for as long as they are considered relevant for credit referencing purposes.
Links between people are kept on files for as long as SCR/Miller believes those individuals continue to be financially connected. When two people stop being financially connected, either can write to SCR/Miller and ask for the link to be removed. SCR/Miller will then follow a process to check the people are no longer associated with each other.
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.
SCR/Miller may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
In the first instance, please contact SCR/Miller which has an established complaints handling service.
You can also refer your concerns to the Information Commissioner’s Office (ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
• Phone on 0303 123 1113;
• Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF;
• Going to their website at www.ico.org.uk