Close

Privacy

Introduction

Chesnara Plc and its divisions (together ‘the Company’) recognise the importance of providing clarity around the collection, use, and storage of personal data. We ensure that we operate appropriate policies and procedures throughout all our operations in order to ensure that such actions are done carefully, securely and confidentially.

This summary provides an overview of the policies and practices we have in place across the group in relation to both the privacy of personal data, being individuals’ rights around which data we collect and how to access it, as well as data protection/security, being how we ensure that the personal data remains secure throughout the time we hold it.

While Chesnara plc itself does not collect, use or store any customers’ personal data, customer data is held by the relevant divisions and their data processing third parties. Each of our divisions employ respective privacy and data protection policies which comply with local laws and regulations. Where relevant, rules applicable to individual divisions will be identified throughout this document.

Information privacy

How do we collect personal data?

We collect information through lawful and transparent means and with explicit consent where required in order to provide the best possible service to our customers.

In accordance with relevant divisional practices, we collect data from a number of sources. This may be directly from individuals when provided, but can also be collected from insurance brokers, employers or other third parties. We may also obtain information from public or other externally available sources, such as registers maintained by public authorities, sanctions lists and other commercial information providers of data, such as those of politically exposed persons.

What personal data do we collect?

Personal data refers to information which can be directly or indirectly traced back to an individual. Processing of personal data includes all handling of personal data, such as collection, registration, modification, and storage. Some examples of the types of personal data which we may collect and use include:

Full name, address and contact details, including email address
Date of birth
Sex/gender
Marital (or relationship) status
Information about health
National Insurance number
Bank account
Information from credit reference or fraud prevention agencies, electoral rolls, court records of debt judgements, bankruptcies, and other publicly available sources
Financial information, including details of salary and other forms of remuneration

We may also collect technical information, such as IP address, date/ time stamp or pages accessed on our website. For our statement on the use of cookies, please see here.

Why do we collect personal data?

We process personal data on one or more of the following bases, dependent on division and jurisdictional requirements:

  • The processing is necessary for the performance of the agreement;
  • The processing is necessary to comply with a legal obligation;
  • The processing is necessary for the purposes of a legitimate interest, for example the investigation of a possible fraud. In doing so the legitimate interest of us or a third party are weighed up against individual’s interests; or
  • The Company has asked permission for the processing of personal data. To note that consent to the processing of data may be withdrawn at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.
  • The processing is necessary for the administration of policies, including updating and delivering our services.
  • We will also process information for good governance, accounting and managing, auditing our business operations, and consumer research purposes.
  • We will not collect and process data that is outside of these stated purposes.

What are individuals’ rights in relation to personal data?

Individuals have a number of rights in relation to information held about them. Exercising these rights is subject to certain restrictions depending on circumstance and division. Here, we provide an overview of potential rights held by individuals. Each of our divisions have an overview of the appropriate rights exercisable for individuals. If individuals wish to exercise their rights or wish to know more about their rights, they can do so by contacting us using the contact information found further down the page.

Right of access

Data subjects have a right to access the personal data we hold about them. This means that they have a right to receive information about how the Company processes their personal data and a copy of that data in a format which suits them.

Right to rectification

If any data we hold about a data subject is incorrect or incomplete they have the right to request that such data be corrected. This also means that they have the right to supplement data with any missing personal data if it is relevant with regard to the purpose of the personal data processing. We are happy to help data subjects rectify information we hold about them upon request.

Right to erasure (“right to be forgotten”)

Data subjects have the right to have their data removed from our systems under certain circumstances. Some of these include; if the personal data is no longer needed for the purposes for which it was collected, if deletion is required to comply with a legal obligation, and if personal data has been unlawfully processed.

Right to restriction

In certain circumstances, data subjects have the right to temporarily stop us from using their personal data. For example, if they dispute the accuracy of our representation of their personal data.

Right to object

Data subjects have the right to object to certain processing of their personal data. If they exercise this right, it may have consequences regarding the services we will be able to offer them.

Right to data portability

If we are asked to do so, we must securely forward a data subject’s personal data to another institution.

Right to withdraw consent

If we have asked a data subject for permission to process certain personal data, they may withdraw this consent at any time. We will then no longer be allowed to use their personal data. The withdrawal of consent does not affect the lawfulness of the processing carried out before the consent was withdrawn.

Right to not be subject to solely automated processing

With some contracts, personal data may be used in an automated decision making process. Data subjects have the right to request a manual decision, express an opinion, or dispute a decision based solely on automated processing.

Exercising rights in relation to personal data

If an individual is unhappy at any stage with how we are using their personal data, they have the right to lodge a complaint. To complain or exercise any other right outlined above in relation to a division’s use of personal data, including amending or rectifying data, use the links below to access divisional policies with relevant contact details. For exercising rights in relation to data collected by Chesnara plc, please see the contact us section here. Following contact, we will direct individuals to the relevant person within our company to deal with the request.

Information security/data protection

The protection of individuals’ information is extremely important to us, and we are committed to implementing compliant data protection standards throughout our business and strive to align them with market-leading practices. We have in place numerous measures to ensure that data is handled properly. All divisions comply with applicable laws and regulations of the respective jurisdictions.

Group Principles

We have no appetite for any material loss of, or unauthorised/illegal access to, confidential personal data. The Company requires that each division has a (local board) approved IT/Data Security Policy that aligns with the Group’s principles and provides additional detail on the controls in place. That policy is subject to an annual attestation process completed by the Policy Owner and facilitated by the local Chief Risk Officer, and includes (as a minimum) content on processes, controls, minimum standards and clear accountability (individuals and committees), covering the following topics:

  • A baseline technology configuration.
  • Keeping all operating systems and security within support requirements and within a defined update schedule.
  • Management of user access, privileges and segregation of duties to reduce the impact of misuse or compromise of user accounts, including a policy on the required layers of authentication.
  • Physical and logical controls to allow confidential and sensitive information assets to be stored and transmitted securely.
  • Anti-malware strategies, including tools to avoid or minimise the impact of any malicious or undesirable code or content on the business systems and operations, including regular monitoring and testing activity.
  • Use of personal devices for performing any business-related activities.
  • Appropriate security standards for home- and mobile-working, if it is allowed.
  • Incident management processes to maintain resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.
  • Robust and secure back-up and recovery mechanisms to support the Disaster Recovery and Continuity Plans.
  • Regular education in IT and Data security in order that employees and contractors recognise the critical role that they play in the organisation’s security.
  • Oversight of IT and Data Security activity within Outsource Service Providers who are custodians of entities data, including private and cloud environments.
  • Use of cloud computing services.
  • IT/Data change management/governance including the assessment, authorisation and monitoring of system changes.
  • Compliance with applicable statutory, regulatory and contractual obligations as well as internal company standards.

Responsibility

The protection of personal data falls within the remit of the relevant divisional individual, who is responsible for information security; to introduce, champion and maintain our internal policies relating to information security. Our policies set out proactive measures aimed at reducing the risk of personal data being mishandled as well as reactive measures ensuring that if any breaches were to occur that they would be properly taken care of.

Within the UK, data security forms part of the wider framework of information security, which contains policies on all topics relevant to protecting and keeping safe information and IT assets of Countrywide Assured (CA) and Chesnara plc. The framework provides detail on the key regulatory standards and legal requirements applicable, as well as outlining relevant roles and responsibilities.

Practices

Based upon our policies, we have taken appropriate technical, organisational, and administrative security measures to protect any data that we hold against loss, misuse, and unauthorised access, disclosure, alteration, and destruction. Our UK operations outsource the retention and management of customer data to Outsourced Service Providers (OSP’s).

For this reason, within our UK division, we ensure that our third parties are certified to widely recognise standards, including ISO 27001, ensuring that adequate measures on data security are implemented at the most relevant levels of Chesnara’s operations. Some measures we have implemented to ensure data is properly secure include, for example, oversight of our third parties to ensure they have appropriate classifications of data, authorisation restrictions, and physical access controls (including encryption techniques). We conduct regular internal audits on our technologies and practices which affect data we hold, providing assurance that our risk management, governance, and internal control processes are operating effectively. Internal audits cover a broad range of topics including information security and user data, oversight of third parties, data quality, IT change management and general IT controls.

It is important to us that our systems are effectively and safely used, which is why we conduct regular employee training on information security.

We seek ongoing specialist external advice and update IT infrastructure as appropriate. Our outsourced IT provider in the UK is accredited (ISO 27001) and is therefore subject to external audits. We ensure that sufficient risk assessments/integrity checks are carried out on any such third party in line with our due diligence process.

Within the UK, if personal data becomes lost or ends up in the wrong hands, we ensure such breaches are reported to the relevant supervisory authority in accordance with reporting requirements and to individuals in a timely manner. We maintain specific data processing agreements as part of our contracts with OSP’s which create contractual notification obligations in the event of a personal data breach within an appropriate timescale which allows for compliance with onward reporting requirements.

Sharing data with other parties

Across the Company we are committed to the security of personal data. We strictly adhere to the applicable data protection laws and regulation of our divisions, and we do not sell personal data to third parties. Personal data may, however, be shared with third parties, such as professional service providers, including data processing and administration.

We will also share personal data if there is a legal obligation to do so, such as by order of a Court in the event of a dispute.

We ensure that all third party suppliers with whom we share personal data comply with our data protection and privacy policies and for suitable physical and technical safeguards to be in place so that information is protected at all times.

We appreciate the risks that come with sharing personal data with third parties, which is why we conduct throughout risk assessments and due diligence when onboarding third parties as well as continuing to monitor and review material risks associated with third party data processors to ensure that our standards continue to be adhered to.

Retention of Personal Data

We will not store data for longer than necessary and are committed to minimising the amount of data handled on our customers and other individuals. How long certain personal data is stored depends, among other things, on the nature of the personal data, the purposes for which they are processed, and applicable legislation. For information on retention periods of individual divisions, please follow the links below.

Use of cookies

Our website uses cookies to provide a better browsing experience. Please read our cookies policy to find out more.

Each of our divisions maintain individual cookie policies which can be found on their respective websites using the links below. The terms of such policies govern the use of the websites.

Updating our data protection and privacy policies
Process for updating

We conduct an annual review of our information security and data protection policy, which is approved by the Board of Chesnara as part of our wider review.

Within the UK, our division Countrywide Assured conduct a periodic review of their website, including a review of their privacy policy.

Notification of changes

Each of our policies, as well as this statement, may be amended from time to time to, for example, keep it up to date or to comply with legal requirements.

We encourage individuals to regularly read our Chesnara plc privacy statement and the respective privacy policies within our divisions in order to remain fully informed of how we use personal information.

Further information

For further information regarding our divisional data protection and privacy policies, including details on how to exercise rights or raise a complaint, please follow the below links to each of our businesses policies:

Countrywide Assured - Privacy policy | CountryWideAssured

Scildon - Privacy statement Scildon | Scildon

Waard - Privacy statement

Movestic - Personal Data Management-Movestic


Powered by Sitecore