You have a range of data protection rights in relation to the information we hold about you. You can exercise any of these rights by contacting us. Note that not all of the rights are absolute – some of them depend on which lawful basis we are using to process your information.
Right to be informed
You have the ’right to be informed’ about the processing of your personal data, in addition to other information necessary for how we process your data in a fair and transparent way. We use this privacy notice, as the main way of providing you with ‘privacy information’. We provide you with this information at the time we collect your data or, if we obtain your data from another source (for example where a grandparent completes a Premium Bonds application form for a child and gives details of the child’s parent), then we will provide this privacy information within one month, usually as part of a ‘welcome pack’. You can contact us if you need further information. This right to be informed applies to data processing for any of the purposes listed in the lawful bases section.
In some circumstances, we do not have to provide this information. For example where:
- you already have the privacy information and nothing has changed
- giving you the privacy information is impossible or would require ‘disproportionate effort’, or
- giving you the privacy information would make it impossible to use your data or seriously damage the reasons for its use.
Right of access
You have a right to receive a copy of your personal information, this is known as a ‘right of access’. If you are concerned about the way NS&I collects and uses your personal data, you can make a data subject access request and we will send you a copy of the information we hold about you. This is another way for you to be informed of which personal data we hold and how we use it, in addition to this privacy notice.
When we reply, you will receive:
- confirmation that we are processing your personal data;
- a copy of your personal data; and
other supplementary information (largely corresponding to the information that you may find in our privacy notice).
You can make a subject access request verbally or in writing. The Information Commissioner’s Office recommends that if you make your request verbally, you should follow it up in writing to provide a clear trail of correspondence and help explain what information you are asking for.
If you want to make a subject access request another way, for example, through web chat or secure message, and do not use the form, you will need to give us the same details.
If you want to make a subject access request via social media your request will be public and we do not recommend its use. If we are unable to identify you in this way, you will still need to send us the same details that the form requires, preferably by a more secure channel.
This right applies to data processing for any of the purposes listed in the lawful bases section, but in some cases (for example market research or statistical data) where we are not able to identify you, we would not be able to provide you with that information.
You can download and print a data subject access request form or contact us with all the information we ask for on the form.
Download a data subject access request form
Right to data portability
Where we process your personal information by automated means for contractual purposes, or with your consent, you can ask us to provide a copy of the information we hold about you in a structured, machine readable format (for example a CSV file). You also have the right to ask us to transfer your data to another organisation but only where this is ‘technically feasible’. This is known as the ‘right to data portability’.
This right only applies to personal data:
- held electronically, and
- that you have provided to us.
Data you have provided does not just mean information you have typed in, such as a username or email address, but may also include data we hold in relation to your use of an account or service. This may include:
- website or search usage history
- payments in or out of a savings account.
Also, under ‘Open Banking’ you may choose to share some of the transaction data relating to some of our accounts with another banking service provider.
Where we process your personal information by automated means for contractual purposes, or with your consent, you can ask us to provide the information we hold about you in a structured, machine readable format (for example a CSV file).
Right to rectification
You have the ‘right to rectification’ of your personal information. You have the right to have information we hold about you corrected where it is incorrect or out of date, and completed where it is incomplete. We occasionally contact customers to improve the quality and completeness of the data we hold, but we rely on you to let us know if your circumstances or details have changed (for example if you change your name or address).
If the information we hold about you is incorrect, out of date or incomplete, please let us know and we will put it right. You should:
- state clearly what you believe is inaccurate or incomplete
- explain how we should correct it, and
- where available, provide evidence of the inaccuracies.
While this right applies to data processing for any of the purposes listed in the lawful bases section, there may be some cases where we would not need to rectify your data (for example if we test our systems or services using ‘scrambled’ data to partially obscure your identity, that scrambling is intentional and will not affect the data we hold as part of your customer record). If we are satisfied that the personal data we hold are accurate, we will tell you that we will not be amending the data. We will explain our decision, and let you know of your right to make a complaint to us. You may then complain to the ICO or to seek to enforce your right through a judicial remedy.
There are some cases where rectification would not be possible, for example where we have anonymised your personal data for market research purposes or statistical analysis. In these cases it would not be possible to identify your data, so it would be impossible to verify its accuracy or restrict its use or delete it.
You also have the ‘right to be notified‘ about any rectification of your personal data or restriction of its processing with regard to any organisations if and when we have shared your information with them. You also have the right to be informed of who we share your information with and why. Much of this information is provided in this privacy notice and is again available through a data subject access request (see ‘Right of access’, above)
Right to restrict processing
You can limit the way NS&I uses your personal data if you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop NS&I deleting your data. Together, these opportunities are known as your ‘right to restriction’.
Like the right to rectification, this right applies to data processing for any of the purposes listed in the lawful bases section, unless we have anonymised your personal data (for example, for market research purposes or statistical analysis). In these cases it would not be possible to identify your data in order to restrict its use.
You can ask us to temporarily restrict the use of your data when we are considering:
- a challenge you have made concerning the accuracy of the data we hold, or
- an objection you have made to the use of your data.
You may also ask us to restrict the use of your data rather than delete it if:
- we have processed your data unfairly or unlawfully but you do not want it deleted, or
- we no longer need your data but you want us to keep it to create, exercise or defend a legal claim.
There are some cases where rectification would not be necessary, for example:
- we have your consent to continue processing your data
- the data are needed for legal claims
- the data are needed to protect another person’s rights, or
- its use is for reasons of important public interest.
Right to erasure
You can, in some circumstances, ask us to delete personal data that we hold about you. This is known as the ‘right to erasure’, also known as the ‘right to be forgotten’.
This right applies to data processing for any of the purposes listed in the lawful bases section, where:
- we no longer need the personal data for the purposes for which we originally collected it, or
- the processing is based on your consent and you have withdrawn your consent, or
- you have objected to the processing and we do not have any overriding legitimate reason to continue the processing, or
- we are processing your personal data for direct marketing purposes and you object to that processing, or
- we have unlawfully processed the personal data, or
- we have to erase the personal data to comply with a legal obligation in UK law.
Most of our processing is governed by contractual, statutory or regulatory purposes, and these purposes often dictate how long we need to keep your personal data for. Please see our ‘How long do you keep my information for’ section of this privacy notice.
The right to erasure does not apply if we need to process your data for one of the following reasons:
- to comply with the Freedom of Information Act 2000;
- when we are legally obliged to keep hold of your data;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- when erasing your data would prejudice scientific or historical research, or archiving that is in the public interest; or
- when keeping your data is necessary for establishing, exercising or defending legal claims.
There are some cases where we would be unable to comply with your erasure request, for example, where we have anonymised your personal data for market research or statistical analysis. In these cases, it would not be possible to identify your data, and therefore impossible to comply with your right to erasure.
If, having considered your request, we decide not to erase your data, we will still reply to you and explain why not, and let you know about your right to make a complaint to us. You may then complain to the ICO or seek to enforce your right through a judicial remedy.
Right to object
Where we are processing your personal information for the performance of a task carried out in the public interest or in the exercise of our official authority or where we have a legitimate interest in doing so, you can object to the processing, based on your particular situation, on the grounds that it is causing you damage or distress (for example financial loss), or where it impacts on your fundamental rights and freedoms, and you’d like us to stop. You must clearly state the specific reasons for your objection, based on your particular situation.
If we agree to your objection, we will stop using your data for that purpose unless we can give strong and legitimate reasons to continue using your data despite your objections. You have an absolute right to object to us using your data for direct marketing (in other words, trying to sell things to you). This means we will stop using the data for this purpose without seeking a legitimate reason to continue.
Before objecting you will need to know which lawful basis we are relying on (see the lawful bases section). This is because you can only object to processing when we are using your data:
- for a task carried out in the public interest
- for a task carried out in the exercise of our official authority
- for our legitimate interests
- for scientific or historical research, or statistical purposes, or
- for direct marketing.
Generally, the reason we process your personal data will determine whether or not you can object. However, there are some cases where we would be unable to comply with your objection, for example where we have anonymised your personal data for market research or statistical analysis. In these cases it would not be possible to identify your data, so it would be impossible to comply with your right to object.
We can refuse to comply with your objection if we can prove we have a strong reason to continue processing your data that overrides your objection, or where the use of your data is for a legal claim.
Right not to be subject to automated decision-making
Some of our processes are partly or wholly automated, but we don’t make decisions that have a significant or legal effect without human involvement. For example, we may check your evidence of identity electronically, but if this is unsuccessful we will write to you to ask for documentary evidence instead.
When decisions are made about you without people being involved, this is called ‘automated individual decision-making or ‘automated processing’ for short and includes some profiling.
You have the right not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (for example automatic refusal of an online credit application, and e-recruiting practices without human intervention).
We do not make decisions based solely on automated processing. Where automated decisions may be made, these are usually:
- necessary for the purposes of a contract between you and NS&I
- authorised by law (for example to prevent fraud or tax evasion), or
- based on your explicit consent.
In these cases, there is always some form of human intervention at the decision stage and we offer the following additional rights:
- to understand the reasons behind decisions made about you and the possible consequences of the decisions, and
- to object to profiling in certain situations, including for direct marketing.
Nevertheless, we still comply with the GDPR principles and we have explained our lawful bases for processing your personal data. We also have processes in place so that you can exercise your rights, as explained in this privacy notice.
Right to lodge a complaint with a supervisory authority
If you have a complaint about the way we have used your information, please contact us first and we will do our best to put things right for you. If you’re not happy with our response, you can escalate your complaint to the Information Commissioner’s Office (ICO) – see the end of this privacy notice for their contact details.
You also have the right to a judicial review where you consider that your rights under the data protection legislation have been infringed, or as a result of us processing your personal data in non-compliance with the legislation.
Where you have suffered material or non-material damage as a result of an infringement of the data protection legislation, you have the right to receive compensation from us for the damage suffered.
Additionally, you have the right to representation, to mandate a not-for-profit body, organisation or association to lodge a complaint with NS&I, or with the ICO, to seek a judicial review and receive compensation on your behalf where allowed for by the Data Protection Act 2018.
Where we can refuse
We can refuse to comply with your data subject rights request if we can prove we have a strong reason to continue processing your data that overrides your objection, or where the use of your data is for a legal claim, or where the data has been anonymised or scrambled and we are not be able to identify it as your data. We can also refuse to comply if we believe that your request is ‘manifestly unfounded or excessive’ or repetitive in nature. In all these cases, we will explain our decision, and let you know of your right to make a complaint to us. You may then complain to the ICO or to seek to enforce your right through a judicial remedy.
Of course, we cannot refuse your request to stop sending you marketing communications.
How to exercise your rights
You can do so at any time by contacting us using the details shown below.