This area of our website offers information about some of the things we do as a responsible business. For more practical information visit our cookies and privacy pages.

Our policies and practices

In line with the Human Rights Act right and data protection legislation (EU and UK GDPR, DPA 2018, PECR), we go to significant lengths to ensure we are delivering on our accountabilities.

  • We’ll only use data in a way that is specified on our How we use your information page. This explains when we collect personal information and what we do with it, including those times when we have a business, legal or regulatory requirement to share it. We regularly review our policy and use it alongside our ‘just in time’ Customer Advisory Notices. Any significant changes are communicated to individuals in a timely manner.

  • We keep an accurate and up to date Record of Data Processing (RoDP). This details the data that is processed within the Society or with any third parties, and ensures that data is only used for the intended purpose and legal basis upon which it was collected.

  • We use only the minimum amount of information needed for the processing of personal data under each defined purpose.

  • We ensure that as far as reasonably practicable, personal information is accurate and up to date, and stored in line with the defined periods set out in our retention schedules. A deletion programme is in place for data that has fallen outside of these.

  • Through the Data Governance Record Management and Retention Standard, we ensure that records within the Society are effectively identified, managed and retained in the right place, for the right period of time.

  • We have dedicated teams who are responsible for ensuring the security of systems and data. All staff (including temporary workers and contractors) understand the importance of keeping data safe and secure, and undertake mandatory annual data privacy training as a minimum, with the Data Privacy team delivering a regular programme of bespoke of role-based training.

  • Our security policies and controls govern all relevant business areas and outline how Nationwide protects the confidentiality, integrity and availability of information and systems, and access control ensures employees only have access to data they need to perform their role. Encryption and de-identification techniques are used to ensure identifiable information is anonymised where possible.

  • We also have a Physical Security policy documenting the approach to managing physical security risk. We take the security and privacy of data very seriously, and undergo regular testing and auditing of these functions, including PCI DSS and the NIST cyber maturity framework, which cover all our data security operations.

  • We ensure individuals’ rights are always respected in the processing of data. And that systems and processes are in place to ensure data subject rights can be easily exercised through all of our core channels.

  • We will only share information with our partners and suppliers that support the operation of the business, where we’re required to do so, or with specific third parties that customers have authorised us to deal with. Our Supplier Security Team ensure that due diligence is completed before we engage with a third party, including security checks and reviews.

  • We never use data in a way that would intentionally cause detriment to a data subject, but we understand that, at times, things can still go wrong. When this happens, we have an Incident Management team that ensures there is a thorough incident investigation and that corrective action is taken. They use well-established incident management, disaster recovery and business continuity plans to ensure the minimum amount of impact or harm. In the event of a data breach, if we need to notify data subjects then we are committed to doing so in a timely manner and we have clear and accessible mechanisms for individuals to raise concerns about data privacy.

How we monitor and improve our performance

Our first line of defence is our Data Privacy team, who report into the Chief Security and Resilience Officer. We have an independent Data Protection Officer (DPO), who reports into the Director of Operational Risk Oversight. The DPO is responsible for the oversight of data protection activity across the Society and in support of this aim conducts regular review activities, based on ICO standards of good practice.

The DPO prepares and presents an annual review of Data Protection activity to the Board Risk Committee.

We work proactively with the wider financial services industry and the regulator to share good practice and shape responses to new and evolving privacy risks.

Last updated: July 2024