Privacy and data Policy

Swinton Group Limited (referred to as “Swinton” “us” or “we” in this notice) is a provider of insurance broking services in the financial services sector in the United Kingdom. What this means is that Swinton arranges and administers insurance policies in conjunction with our insurance panel partners.

Insurance is the pooling and sharing of risk in order to provide protection against a possible event risk occurring. In order to do this, information including your personal data, needs to be shared between different providers within the insurance journey, including insurers, price comparison websites, other brokers and those involved in claims management (who we call “Insurance Participants” in this notice). Swinton and the Insurance Participants are committed to safeguarding that personal data.

Watch our video guide 

This notice is designed to help you understand how we and other Insurance Participants process your personal data through the insurance journey, from the point of obtaining a quote from us directly or from a price comparison website, through to taking out a policy, making a claim under your policy, to renewing your policy.

You can manage your car or home insurance safely online with ‘my Account’. Simply visit Swinton.co.uk/myaccount and when prompted input your policy number, post code and date of birth . You can keep your contact details up to date and make changes to your policy including changing your vehicle details or your buildings and contents cover. You can also view, print and upload documents.  

This notice sets out how we will use your personal data, and in particular, details the following:

Swinton Group Limited (company number 00756681) is registered as a company in England and Wales, with our registered addressed at Embankment West Tower, 101 Cathedral Approach, Salford M3 7FB. Swinton is part of the Covea Group of Companies. For more information on Swinton as an entity please see our terms of use.

In relation to the personal data we collect from and use, we are the ‘data controller.’ This means we decide the purpose and manner in which your personal data is used and processed. The Insurance Participants may also be data controllers of your personal data, and this is explained more fully below. 

Swinton may share your personal data in a number of ways:

a)  Your personal data may be used by Swinton as the data controller or shared with our sister company Covea Insurance plc (company number 613259 ) as is necessary and explained within this privacy policy.

b)  Swinton will also share personal data with Insurance Participants, who may be data controllers in their own right. 

c)  We may also share your personal data with law enforcement bodies, reinsurers and regulators such as the Financial Conduct Authority, as is necessary and permitted by law. In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal data to the third parties concerned or their professional advisors as is necessary.

d)  To assist us in providing insurance broking services to you, it is necessary for us to use third party suppliers. In using these third party suppliers, we often have to share and allow access to personal data to enable those third party suppliers to carry out the relevant services. If third party suppliers are using personal data to provide services on our behalf, they are known as ‘data processors’. Examples of important areas where we use third party suppliers (and therefore data processors) include for the purposes of:

  • web and data hosting;
  • cloud software;
  • claims management;
  • print production;
  • market research;
  • pricing and analytics;
  • providing credit;
  • credit searches;
  • brand and product development;
  • fraud prevention;
  • compliance monitoring, quality management and audit; and
  • debt management and collection.

We will ensure that any data processor we use has entered into a contract with us which fully sets out the data processor’s duties, including in relation to protecting the processing of your personal data. 

The following is a list of the types of personal data we may collect and hold about you:

Types of personal data

Details

Individual details

Name, address (including proof of address), other contact details (e.g. email and telephone numbers, gender, marital status, date and place of birth, nationality, employer, job title and employment history, and family details, including their relationship to you, vehicle and property details.

Identification details

Identification numbers issued by government bodies or agencies, including your national insurance number, passport number, tax identification number and driving license number.

Financial information

Bank account or payment card details, income or other financial information.

Risk details

Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, criminal convictions, or other special categories of personal data. For certain types of policy, this could also include telematics data.

Policy information

Information about the quotes you receive and policies you take out.

Credit and anti-fraud data

Credit history, credit score, sanctions and criminal offences, and information received from various anti-fraud databases relating to you.

Previous and current claims

Information about previous and current claims, (including other unrelated insurances), which may include data relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports.


Some of the personal data your share with us may be what is known as ‘special category’ personal data. Certain categories of personal data have additional protection under data protection regulation due to its sensitivity. Special category data includes data relating to health, criminal convictions, racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or data concerning sex life or sexual orientation. For the purposes of this notice, we should only process special category relating to health or criminal convictions.

We may receive your personal data through various channels; over the phone, through our website, face to face and directly through secure transfer from other Insurance Participants.

We might collect your personal data from various sources, including:

  • you;
  • your family members, employer or representative;
  • other Insurance Participants;
  • credit reference agencies, anti-fraud databases, sanctions lists, court judgements and other databases;
  • government agencies such as the DVLA and HMRC;
  • open electoral register; or
  • in the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, solicitors, and claims handlers

The particular sources which apply in each case will depend on the context and your particular circumstances.                                                                                                                                                

Disclosing other people’s information to us

You should show this notice to anyone whose personal data you provide to Swinton. You must ensure that any such personal data you supply relating to anyone else is accurate and that you have obtained their consent to the use of their personal data for the purposes set out above. Where you authorise a third party on the policy, it is our standard practice to speak to either you or the third party regarding the policy, after completing relevant identity checks.

Telephone call recording

Telephone calls with us will be recorded for training, quality and complaint handling purposes. We engage third parties to carry out compliance monitoring on our behalf, and personal data including call recordings, is made available to such parties for this purpose.

We are an insurance broker, which means that we will present quotes and incept policies from our panel of insurers. Some of these are intermediaries who will provide quotes to us from their own panel of insurers.

In order for us to provide our insurance broking services, your personal data is shared between Insurance Participants, including our insurance panel members, some of which you will not have direct contact with. Whilst Swinton is the data controller of any data it collects or uses, during the insurance journey, other Insurance Participants may also be a data controller. The initial data controller depends on how you have taken out your policy:

  • Where your employer or another organisation took out the policy for your benefit: you should contact your employer or the organisation that took out the policy who should provide you with details of the insurer or intermediary that they provided your personal data to and you should contact their data protection contact who can advise you on the identities of other Insurance Participants that they have passed your personal data to.
  • Where you are not the policy holder or an insured: you should contact the organisation that collected your personal data who should provide you with details of the relevant data protection contact.

Our insurance panel members

Who we share your personal data with, will depend upon whether you request a quote for a non-business policy, such as a personal motor policy or home policy, or whether you are a business customer. Further details are available on request.

Swinton will use and process your personal data in a variety of ways or ‘purposes’ A full list of the purposes we use is found here in order to provide services to you as an insurance broker. We must have a legal ground to process that personal data for the activity we are undertaking.

A summary of the legal grounds we use to personal data, are set out as follows:

(i) In order to provide you with insurance quotes, set up and maintain your insurance policy, carry out fraud and credit checks, and handle claims, the legal ground for processing your personal data is that it is necessary for the performance of your insurance policy;

Failure to provide the requested personal data may mean we are unable to obtain a quote or incept a policy for you.

(ii) For the following purposes for processing data, the legal ground we use to process that personal data is that it is necessary to fulfil our legitimate interests. Therefore, it is in our legitimate interest to process personal data for the purposes of:–

  • network and information security,
  • pricing modelling and analytics,
  • defence and prosecution of legal claims,
  • investigation or prosecution of fraud,
  • transfer books of business, sale or reorganisations of the business
  • direct marketing by post and phone

Further information on how we assess our legitimate interests can be made available on request.

Swinton may contact you by post and telephone for our legitimate marketing purposes in order to let you know about offers and other products and services. With your consent we may from time to time contact you by SMS or email with details of our other products and services.

We may collect personal data about you which, when combined with the personal data you have given us, helps us to target and tailor communications which we believe may be more relevant to you. 

If you would like to opt out of receiving marketing correspondence of any kind, you can let us know at any time by writing to us, by calling us on 0800 116 4181 or online at www.swinton.co.uk/contact-us/customer-feedback/

We do not sell or pass on your details to any third parties for the purposes of marketing their own products or services. 

When calculating insurance premiums  Insurance Participants may compare  your personal data against industry averages. Your personal data may also be used to create the industry averages going forward. This is known as profiling and is used to ensure premiums reflect risk.

Profiling may also be used by Insurance Participants to assess personal data you provide to understand fraud patterns.

Where special categories of personal data are relevant, such as medical history or past motoring convictions for motor insurance, your special categories of data may also be used for profiling.

Insurance Participants might make some decisions based on profiling and without human  intervention (known as automatic decision making).

The legal ground Swinton uses to carry out automated processing is that it is necessary for the purposes of entering into, or performance, of your insurance policy. Swinton uses automated processing for the following purposes:-

(i) Fraud prevention and detection

In order to prevent or detect fraud we will check your details with various fraud prevention agencies and anti-fraud databases, who may record a search. These checks include processing conducted automatically by computers.

Insurers pass information to the Claims Underwriting Exchange database, run by the Motor Insurers’ Bureau (MIB). The aim is to help us check information provided and also to prevent fraudulent claims. We may at any time search the database including when we deal with your request for insurance.

If fraud is suspected, information will be shared with insurers and fraud prevention agencies. Swinton use Lexis Nexis as an interface to compare customer personal data with data held by these fraud prevention agencies. We search these databases when we deal with your request for insurance, at renewal, if changes are made to the policy or, in the event of an incident or claim. Other users of the fraud prevention databases, such as law enforcement agencies, may use this information in their own decision making processes.

Under the conditions of your policy, you must tell us about any incident (such as an accident or theft) which may or may not give rise to a claim. When you tell us about an incident we will pass information relating to it, to our claims management business partners. All telephone calls relating to applications and claims may be monitored and recorded and the recordings used for fraud prevention and detection, training and quality control purposes.

We may also share your information with law enforcement agencies, other organisations and public bodies where we reasonably believe it is necessary for the prevention and detection of fraud, crime or where required to do so under a court order.

If your application for insurance has been declined and you believe this to be incorrect please explain why to a member of staff who will review the circumstances. You can contact us on 0800 1164181.

(ii) Credit reference checks

Soft Search

Swinton Insurance and our Insurers will conduct credit reference checks at one or more of the UK’s credit reference agencies (“CRAs”). In all cases these checks will be carried out to confirm identity, help prevent fraud and calculate premiums. This is a soft search which means it is only visible to you (if you request a copy of your credit file at the credit reference agencies) and is not visible to other organisations. This type of credit reference check will not affect your credit file.

The search will be visible on your credit report but it won't affect your credit rating as it's not an application for credit. The CRAs may add the details of our searches and personal data that we hold about you to their records relating to you.

Quotation Search

Aviva are a member of our car and van insurance panel. In order for us to obtain a car or van insurance quote from Aviva, they will need to perform a fuller credit reference check with the CRAs, which is called a quotation search. This check is conducted at quotation, renewal and in certain circumstances where policy amendments are requested. This type of search will leave a footprint on your credit file which is visible to other lenders and companies (for example, other CRA customers). Aviva do offer their own Credit product. If you choose to pay monthly via the Aviva credit agreement, the status of your quotation search will be updated to reflect your credit application and this will be visible to other lenders and companies. 

This type of search and the personal data about you may be used and disclosed by the CRAs to other lenders and companies to enable them to trace your whereabouts, recover debts that you owe and to verify your identity.

The Information Commissioners Office has provided guidance on how CRA checks work and how long information is retained for. Download the guidance pdf  (PDF 0.9 MB)

Records remain on file at the CRAs for six years after they are closed, whether settled by you or defaulted. CRAs may use this personal data for the purpose of carrying out statistical analysis about credit ratings. If you tell us that you have a spouse or financial associate with whom you have a personal relationship that creates a financial association* in a similar way to a married couple (for example if you have been living at the same address at the same time), we may:

i) search, link and/or record information at CRAs about you both,

ii) link any individual identified as your financial associate, in our own records,

iii) take both your and their information into account in future applications by either or both of you, and

iv) continue this linking until one of you notifies us that you are no longer linked.

* An association shows that you have a financial connection with someone else. This can be created by joint judgments, joint accounts, joint credit applications, or from information you have previously provided to CRAs through quotations and applications for credit.

Linked records

When CRAs receive a search from us they will link together your records and records about your spouse or financial associate. Links will remain on your credit file and theirs until such time as you or they successfully files for a disassociation with the CRAs. If your circumstances change and you believe you are no longer financially linked with another person you should contact the CRAs about this.

Contacting Credit Reference Agencies

You can contact the CRAs currently operating in the UK (CallCredit, Equifax and Experian) to find out what information they hold about you. The information they hold may not be the same so you may wish to contact more than one. Their details are below. They are entitled charge you a small statutory fee.

Call Credit, 0330 024 7574 or log on to www.callcredit.co.uk.

Equifax, Equifax Ltd Customer Service Centre, PO Box 10036, Leicester , LE3 4FS, 0333 3214043or log on to www.equifax.co.uk.

Experian, Consumer Help Service, PO Box 8000, Nottingham NG80 7WF or call 0344 481 0800 or log on to www.experian.co.uk

Both types of credit checks as described above may be completed when obtaining a quote for you, whenever you change or renew the policy, to offer payment options and to calculate premiums.

If you would like further information on any of this automated processing you can contact us on  0800 1164181.

(iii) Risk analytics and insurance premium pricing

We will process your personal data to determine premium pricing, and assess a number of risk rating factors relating to your insurance policy.

(iv) Marketing

We will process your personal data to enable us to develop, review and improve the services which we offer and to enable us to provide you with relevant information through our marketing programme.

We may use your information to make decisions about you using technology to track or profile your, online journey, such as how you arrive on our website and for assessing which products might be most suitable for you.

If you believe the outcome of any automated processing has resulted in an outcome that you did not expect please explain why to a member of staff who will review the circumstances. You can contact us on 0800 1164181 to explain the circumstances.

A cookie is a small text file that can be stored on your computer/device and is a standard feature on most modern websites in order to support your browser whilst navigating, to keep your website preferences and help to tailor your online experience.

We use cookies for a number of things. If you would like to read about them in more detail please see our full Cookie Policy on our website where we have listed which cookies we use and how to remove them from your device.  

Swinton  will delete personal data in line with its retention policies. Personal data will be retained for the minimum amount of time necessary for each type of activity that we conduct.

For the purposes of supporting our complaint handling, quality management, regulatory requirements and to defend against legal claims, personal data associated with the provision of quotes, inceptions and management of policies will be retained for a maximum of seven years from the conclusion of your relationship with us.

Personal data will be retained for 11 years for the purpose of analysing and assessing risk in relation to insurance claims.

Personal data relating to quotes requested and subsequently not taken up by you will only be processed for marketing purposes for four years. Should you wish to stop receiving any form of marketing contact please let us know.

Call recordings will be retained for three years. Certain call recordings may be held for longer in the event that they are required to support specific regulatory investigations, complaints handling or the prevention and detection of crime.

Swinton work with Insurance panel members in order to provide you with a quote and incept insurance. Insurers will retain and delete personal data according to their own retention policies and you should ensure you read the insurers privacy policy, in respect of your personal data processed and retained by them.

As we have set out above, third parties may be used by us to ensure we can provide all or part of the service to you. In these instances, while the personal data you provide will be disclosed to them, it will only be used for services for which we have engaged that third party.

When we engage a third party to process any personal data,, we conduct appropriate data protection and information security due diligence. We use audits, evidence certifications, penetration and vulnerability tests and conduct on site reviews where appropriate. All transfers of personal data between Swinton and our suppliers are sent using a secure method.

From time to time we may need to process some of your information using third parties located in countries outside of the European Economic Area (“EEA”). If your information is processed outside the EEA, we will take all necessary steps to ensure it is adequately protected. This includes ensuring there is a contractual agreement in place with the third parties which provides the same level of protection as  required by the data protection regulation in the UK and EEA.

As we control how your personal data is used , we are the data controller and you are the ‘data subject.’ Under data protection regulations you have rights as a data subject You may have the right as a data subject to require us to :

  • provide you with further details on the use we make of your personal data including special category data;
  • provide you with a copy of the personal data you have provided to us;
  • provide information that you have provided to us to either you or a third party in a reusable format; 
  • update any inaccuracies in the personal data we hold about you;
  • delete any special category of data/personal data that we no longer have a lawful ground to use;
  • where you have consented to Swinton processing your personal data for a particular purpose, to withdraw your consent so that we stop that particular processing;
  • object to any processing based on the legal ground Swinton is processing it in its legitimate interests unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
  • restrict how we use your personal data whilst a complaint is being investigated.

In certain circumstances we may need to restrict the above rights in order to protect public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). We will explain this to you as necessary.

Request about my personal data

You are entitled to request a copy of or amend the data we hold about you.

Submit a data request online

Your Right To Complain To The ICO

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in this section, or if you think that we have breached data protection regulation, then you have the right to complain to the Information Commissioner’s Office (“ICO”).

Please see below for contact details of the ICO

Information Commissioners Office, Wycliffe House, Water Lane,Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or

01625 545 745 (National rate)

Email: casework@ico.org.uk

If you have any questions in relation to our use of your personal data , you should first contact the Data Protection Officer Swinton Insurance, Embankment West Tower, 101 Cathedral Approach, Salford, M3 7FB

If you would like to speak to us about how we use your information you can contact us on 0800 1164181.

Appendix A

List of legal grounds we rely upon

Legal Ground For processing personal data and special categories of personal data

Performance of our contract with you

Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.

Compliance with a legal obligation

Processing is necessary for compliance with a legal obligation to which we are subject. 

Protection of vital interests of you or another person

Processing is necessary in order to protect the vital interests of you or another natural person.

In the public interest

Processing is necessary for the performance of a task carried out in the public interest.

For our legitimate business interests

Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.

 
For processing special categories of personal data

Your explicit consent (optional)

You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent , by contacting our Data Protection contact.

Your explicit consent (necessary)

You have given your explicit  consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance cover without this consent. You are free to withdraw your consent by contacting our Data Protection Contact. However withdrawal of this consent will impact our ability to provide insurance or pay claims. For more details see section 5.

Protection of vital interests of you or another person, where you are unable to consent

Processing is necessary to protect the vital interests of you or of another natural person where you are physically or legally incapable of giving consent.

For legal claims

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

In the substantial public interest

Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law.

For health services

Processing is necessary for the purposes of preventative or occupational medicine, for medical diagnosis, the provision of health or social care or treatment on the basis of EU or UK law or pursuant to contract with a health professional who I sunder legal or professional obligations of secrecy.


Last published 12th June 2018.