Responsible Lending Limited is an authorised mortgage lender and is regulated by the Financial Conduct Authority under reference number FRN763158. Our principal place of business is Princess Street, Plymouth. All customer correspondence should be directed to PO Box 277, Sheffield, S98 1RP as set out in the Contact Us section of this document.
Our business is to provide Lifetime Mortgages to customers like yourself and as part of this process we are required to process your data in a number of different ways and share it with a number of different parties to enable us to enter into this contract with you. As part of this privacy notice, we will explain to you in detail, who we will share your data with, what your rights are in relation to this processing activity and information such as how long we will retain your data for.
We are required to provide you with the information in the privacy notice in order to comply with our legal obligations. Please read it carefully – we take the privacy of your personal data very seriously.
About this document
This privacy notice contains information about:
- The personal data that we process as a controller
- The reasons why we process personal data
- The legal grounds upon which we process personal data
- The security measures that we have in place to keep your personal data secure
- How long we store personal data
- The organisations with whom we might share personal data
- The rights you have under the data protection laws in relation to our processing of your personal data
Understanding the terms used in this privacy notice
The meaning of words which are shown in bold text are explained in the Glossary. Throughout this notice any reference to “we” or “us” refers to Responsible Lending LPlease note that we may change this privacy notice from time to time
The latest version of our privacy notice can be found on our website (www.responsiblelending.co.uk) or can be requested from us using the contact details contained in the part of this privacy notice headed Contact Details. We will notify you if the purposes for which we process your personal data change.
What personal data do we process?
The categories of personal data we process include the following:
- Basic information – name, address, date of birth, marital status, gender
- Property related information – address, property value
- Loan related information – loan amount, joint/single loan, cash advance, loan to value ratio
- Additional information – if you are in breach of the terms of your mortgage, we may obtain more information about the reason for the breach in order to determine what action to take. This could include access to sensitive personal data such as health information.
We primarily obtain personal data about you from your independent financial advisor, however we may also obtain information from you directly from time to time, as well as information provided to us through our pre-mortgage checks conducted with, for example, credit reference agencies.
The purposes for which we process your personal data are described in the following section of this privacy notice (Why do we process personal data?).
Why do we process personal data?
We are the data controller and need to collect information about you so that we can understand your circumstances, requirements and for certain other specified purposes as set out below.
- To provide you with information about the products you have taken out
- To perform initial and any future credit checks and to verify your identity
- To comply with legal and regulatory obligations
- For the administration and continuing review of your plan
- For business analysis and research, to improve the way we do business
- To provide you with information about products and services that may be of interest
- For general administrative purposes, including the storage and backup of data
We may obtain a variety of information about you that may include (but is not limited to) information relating to your financial circumstances (for example, your income, outgoings and existing investments), gender, dependents and marital status. We may also ask you about sensitive data such as your physical and mental health. Collecting this information not only enables us to offer you a Responsible Lending Lifetime Mortgage but also to service the loan once it has completed.
Legal grounds for processing personal data
We are allowed to process your personal data on certain legal grounds;
Article 6 (1) (b) gives us a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
This will include the processing required for us to fulfil our legal and regulatory obligations relating to your application, for instance conducting Anti-Money Laundering and Fraud & Identity checks
Where this lawful basis does not apply, for instance where we collect your data for marketing purposes, we will explicitly request your consent to do so, and you may withdraw this consent at any time, see the section headed Your rights to find out how.
How do we keep personal data secure?
We take the security of information, infrastructure and applications very seriously. Our commitment to Information Security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to international information security standards.
We ensure all suppliers who process your data on our behalf are also certified to suitable information security standards including, but not limited to ISO27001:2013.
We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.
How long do we store personal data?
We will keep your personal data for a period of seven years from the date of redemption of the mortgage, where we deviate from this, we will advise you accordingly.
Who will we share your personal data with?
We share personal data with a variety of other companies in order to operate our business and make an offer of a Lifetime Mortgage to you. Where required by law or law enforcement authorities, we will share personal data with them to comply with law.
The companies we share personal data with are processors. This means that we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. We only share the personal data that these companies need to provide their services to us.
We share your data with the companies who fund your Lifetime Mortgage in order that they can manage and monitor the loans they have made to us.
We may share your data with your mortgage broker / independent financial adviser as part of the application process to ensure the Lifetime Mortgage we are offering is the correct one for you.
Our Credit Referencing Partners
We share your data with these firms to assess your suitability for a Lifetime Mortgage and aspects of our decision making are based on the responses we receive.
Our Property Valuers
We share your data with our surveyors in order to assess the suitability of your property for the purposes of a Lifetime Mortgage.
Our Conveyancing Partners
We share your data with our conveyancing partners in order that the release of the mortgage funds to yourselves is operated smoothly and the required charges are applied to your property at the appropriate registration services.
Fraud Prevention Agencies
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in section titled Fraud Prevention Agencies – Further Information.
Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as correspondence management, document scanning and copying companies, document destruction companies and printers as well as our IT service providers.
Fraud Prevention Agencies – Further Information
If false or inaccurate information is provided and fraud is detected, you could be refused certain services, finance or employment.
- Law enforcement agencies may access and use this information.
- We and other organisations may also access and use this information to prevent fraud and money laundering, for example, when:
o Checking details on applications for credit and credit related or other facilities
o Managing credit and credit related accounts or facilities
o Recovering debt
o Checking details on proposals and claims for all types of insurance
o Checking details of job applicants and employees
We and other organisations may access and use from other countries the information recorded by fraud prevention agencies. Please see below for further information regarding our fraud prevention agencies.
What is Cifas?
Cifas is the UK’s leading fraud prevention service, managing the largest database of fraud risk in the country – the National Fraud Database (the Cifas ‘database’). We are a not-for-profit membership organisation and serve those companies and organisations who are our members by facilitating the sharing of fraud risk data to reduce their exposure to fraud and financial crime. A full list of our members can be found on our website www.cifas.org.uk. We also offer individuals protection against identity fraud.
What is Cifas information used for?
The Cifas database allows our members to share details of fraudulent applications for products, goods or services. Members also exchange information about false insurance claims and accounts, policies or facilities which are being misused as a result of fraudulent conduct. Details of the personal information that will be shared include, for example: name, address, date of birth, contact details, financial information, employment details, document details, vehicle details, and device identifiers including IP address. This information can be held for up to six years in the Cifas database. In addition, information is exchanged about those at heightened risk of identity fraud and those who have already been victims in order to protect them from further fraud. Cifas is not a credit reference agency, so our information is not used to assess an individual’s creditworthiness. Cifas and our members have a legitimate interest in preventing fraud, money laundering and verifying an individual’s identity and the information shared is used just for those purposes. Please see our website to find out more about our legal basis for processing your personal data.
How does the Cifas database work?
Before providing services, goods or finance or when employing a new staff member, Cifas members can undertake checks against the database. If a Cifas record is returned as a result of these checks a member must not simply reject an application or close a facility and they are required to carry out further investigation to confirm that the personal data provided on the application is correct. If fraudulent conduct has been identified in an application, the member may decide to not proceed with the application or may decide to review an existing facility or employment. There may be occasions when a Cifas record is present and the personal details have been confirmed but the application may not be approved for other reasons, such as failure to meet a creditworthiness check. Most Cifas members also use one or more fraud prevention agencies other than Cifas. You can ask the organisation to explain why it has declined your application or closed your facility and the organisation should provide you with an explanation, including details of any credit reference agencies or fraud prevention services it has used to make a decision.
How does Cifas protect victims?
If a Cifas member identifies that you have been a victim of identity fraud, your details will be recorded in the National Fraud Database in order to help protect you from further identity crime. Members of Cifas will then see that you are at risk and take extra steps to protect you, helping to prevent fraudsters from using your details to apply for products and services in your name. This may mean that when you apply for financial products and services the process may take slightly longer than usual, as extra checks will be made on applications made in your name. Members of Cifas may also get in touch with you to make further checks before processing your application. Where the risk of fraud is very low, some members may accept the application and contact you following acceptance to double check that the application is from you. This will minimise delay while continuing to protect you from fraud.
Some Cifas members process applications and manage existing customer accounts outside of the European Economic Area. This may involve the transfer of information from the Cifas database but will only happen where personal data can still be protected to the standard required in the European Economic Area. This protection will be either through imposing contractual obligations or by subscribing to “international frameworks” intended to enable secure data sharing. Please see our website for more information.
Your right to access your data
Under data protection legislation you are entitled to request a copy of information held about you by Cifas. This is known as a Data Subject Access Request and is free of charge. If you wish to request a copy of any data held about you on the Cifas database, the quickest way is to visit the Cifas website where you can apply online:
Alternatively, you can make your request in writing to the following address:
6th Floor, Lynton House
7-12 Tavistock Square
The Cifas Data Protection Officer can also be contacted at this address.
To help us locate information we may hold about you, we will need your full name, date of birth, address history for the last six years as well as contact details such as your home telephone, mobile number and email addresses. We also require two proofs of your identity: a photocopy of a valid passport or driving licence and an original bank statement or utility bill (which lists your name and address and must be dated within the last three months). This must be an original document as photocopies and printed copies will not be accepted. Original documents will be returned to you. If you do not have these proofs, please contact us to discuss alternative options.
What if I want to complain about my record?
If you consider that the information we hold is incorrect you can challenge the record. In the first instance you will need to contact the member who recorded the information to Cifas and outline your reasons why you dispute the information recorded.
Once the Cifas member has considered your concerns and reviewed the case, they will issue a ‘Final Response Letter’, and if necessary, amend or delete any data held.
If, following the review by the Cifas member, you are still unhappy with the record you can ask Cifas to conduct an independent review of your complaint. Please include the ‘Final Response Letter’ with your request. You also have a right to complain to the Information Commissioner’s Office.
You have the following rights under data protection laws:
- The right to object to us processing your personal data
- The right to correct any mistakes in your personal data
- The right to restrict our processing of your personal data
- The right of access to personal data relating to you (known as ‘Subject Access Requests’)
- The right to require us to delete your personal data
- Rights in relation to automated decision-making
- The right to have your personal data provided to another controller
These rights are described in the following section Your rights in more detail.
How to exercise your rights
If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact Details. When seeking to exercise any of your rights, please ensure that your request contains sufficient information and supporting documentation to enable us to consider your request and take appropriate action.
There are exemptions that apply to some of your rights. If any of these are applicable such that we are unable to comply with your request to exercise any of your rights, we will confirm this to you when responding to your request and apply those exemptions in accordance with data protection laws.
What will happen if your rights are breached?
You might be entitled to compensation for any damage caused by contravention of data protection laws.
Your rights in more detail
Your right to object to us processing your personal data
You may object to us processing your personal data where we rely on your consent as our legal basis for processing.
If you object to us processing your personal data for this purpose, you can withdraw your consent to this at any time in writing by contacting us at the details held in the Contact Details section of this privacy notice.
Your right to correct any mistakes in your personal data
You can require us to correct any mistakes (including adding missing information) in any of your personal data which we hold.
Your right to restrict our processing of your personal data
You may request that we restrict the processing of your personal data in any of the following circumstances:
- Where you do not think that your personal data is accurate. In this case we will start processing again once we have checked the accuracy of your personal data and it has been corrected if necessary
- Where the processing is unlawful, but you do not want us to erase your personal data
- Where we no longer need the personal data for the purposes of our processing, but you need the data to establish, exercise or defend legal claims
If our processing is restricted in any of the circumstances described above, we will inform you in advance if that restriction is to be lifted.
Your right to access your personal data (Subject Access Request)
You can ask us to confirm whether we are processing personal data relating to you. If we do, you may ask us to provide the following:
- A copy of your personal data (please note that, if you want more than one copy of your personal data, we reserve the right to charge a reasonable fee based on our administrative costs for the provision of such further copies)
- Details of the purpose for which your personal data is being, or is to be, processed
- Details of the recipients or classes of recipients to whom your personal data is, or might be, disclosed, including, if the recipient is based in a country outside of the European Union, what protections are in place in relation to the transfer to that recipient
- The period for which your personal data is held (or the criteria we use to determine how long it is held)
- Any information available about where we obtained your personal data from
- Confirmation as to whether we carry out any automated decision-making (including profiling) and, where we do, information about the logic involved and the envisaged outcome or consequences of that decision or profiling
Your right to require us to delete your personal data
You can ask us to delete your personal data in any of the following circumstances:
- You believe that we no longer need to process it for the purposes set out in this privacy notice
- You had given us consent to process it, but you withdraw that consent and there are no other legal grounds upon which we can process it
- You have successfully objected to our processing it
- It has been processed unlawfully or has not been erased when it should have been
Your rights in relation to automated decision-making
You have the right to ask a controller to review manually any automated decisions the controller makes about you.
Your right to have your personal data provided to another controller
In specified circumstances, an individual can ask a controller to provide them with an electronic copy of personal data that the controller holds, or to have such a copy transmitted directly to another controller.
Any queries regarding your mortgage should in the first instance be directed to us.
How to contact us
You may want to contact us to:
- Ask any questions you have in relation to the information contained in this privacy notice
- Exercise any of your rights under the data protection laws
- Request a version of this privacy notice printed in large print or braille
- Request an audio version of this privacy notice
- Make a complaint (see below)
To contact us you can email us at firstname.lastname@example.org or write to:
PO BOX 277,
How to make a complaint
If you have a problem or concern relating to the matters set out in this privacy notice that you would like us to look into, please contact us in the first instance using the details set out above.
We hope that we will be able to address the problem or concern to your satisfaction. However, if you remain unsatisfied you will have the right to make a complaint to the Information Commissioner’s Office.
The process for making a complaint to the Information Commissioner’s Office can be found on its website: www.ico.org.uk