Table of content
Before we begin
This notice (Privacy Notice) applies to personal information held by members of the HSBC Group as data controllers, as described below. It explains what information we collect about you, how we’ll use that information, who we’ll share it with and in what circumstances. It also explains what steps we’ll take to make sure the information stays private and secure. We may need to retain your information even after we cease providing relevant banking, insurance or other products to you either to provide other products and services you continue to use or because we will retain your information in accordance with our retention policy. In those circumstances this Privacy Notice will continue to apply. It should also be read alongside the banking or insurance terms and conditions which apply to your products and services, as these include sections relating to the use and disclosure of information.
When does this Privacy Notice apply?
This Privacy Notice applies to you if you are a ‘Customer’, that is, you apply for, are now, or have in the past applied for or been our customer in relation to any of our personal products or services including savings, loans, credit cards, mortgages, investments or insurance. It will also apply to you if your personal data is or has been provided to us in relation to a Customer. This may be the case if you are or were an authorised signatory on a Customer account, you undertake banking or deals on behalf of a Customer (for example you are a trustee, executor or are an attorney under a Power of Attorney) or are an authorised signatory of those parties (Related Parties). In this Privacy Notice we have referred to both Customers and Related Parties as ‘You’ or ‘Your’. If there is a difference between how we treat Customers and Related Parties we have made this clear.
If you are an insurance customer, it also means you, named insurers or beneficiaries under your policy, dependents, claimants and other third parties involved in an insurance policy or claim (such as witnesses).
As well as this Privacy Notice, where you are a Customer, there is certain information about how we use information provided to us in your terms and conditions. Please note that the type of information we collect and the purposes for which we process it will differ depending on whether you are a Customer or Related Party.
If you apply for certain other products and services, you may be provided with a separate or supplemental privacy notice. If you also have a relationship with other parts of the HSBC Group (e.g. HSBC business banking, first direct, M&S Bank or HSBC in any other countries), they’ll provide you with information separately where required. Some of the links on our websites lead to other HSBC or non-HSBC websites with their own privacy notices, which may be different from this notice. You’ll need to make sure you’re happy with their privacy notices when using those other sites.
When we say ‘we’, we mean HSBC Group companies which act as a data controller in respect of your personal data. Unless otherwise stated below, the data controller for the purposes of this notice will be HSBC Bank plc, a company incorporated in England and Wales, and operating in the Channel Islands and Isle of Man through locally regulated branches. HSBC Bank plc’s registered office is at 8 Canada Square, London E14 5HQ, United Kingdom.
The address for HSBC Bank plc (Jersey Branch) set out in this notice is HSBC House, Esplanade, St Helier, Jersey JE1 1HS, Channel Islands; for HSBC Bank plc (Guernsey Branch) it is Arnold House, St Julian’s Avenue, St Peter Port, Guernsey GY1 3NF, Channel Islands; and for HSBC Bank plc (Isle of Man Branch) it is HSBC House, Ridgeway St, Douglas IM1 2SG, Isle of Man. If you’d like to get in touch with us, you can also find contact details in the ‘More details about your information’ section below.
You can exercise your rights by contacting us using the details set out in the ‘More details about your information’ section below. You also have a right to complain to the data protection regulator in the country where you live or work. For the Channel Islands and Isle of Man, these are:
How do we collect your personal information?
We collect information from various sources. In particular we:
- collect information from you through your dealings with us (for example when you visit our websites or mobile channels, complete application forms or answer questions online or in branch, speak with us in person or on the phone about any of our products or services);
- collect information from other sources (parties you have asked us to contact e.g. your financial advisor, broker or mortgage intermediary, other HSBC companies, for insurance customers, the insurance company which provides the insurance policies, checks or searches of publicly available information, and information services which allows us to undertake checks to help combat fraud, money laundering and other criminal offences);
- if you are a Related Party we will also collect information about you from the Customer you are related to.
What information we collect
If you are an insurance customer we will also collect the following data:
- information regarding your family members or other third parties who might be covered by or benefit from your insurance policy or be financially dependent on you;
- information which is relevant to your insurance policy, including details of previous policies and claims history. This will depend on the type of policy that you have with us;
- lifestyle information. For example, if you apply for a life insurance policy, we may ask for details such as your status as a smoker and alcohol consumption;
- details about your physical or mental health which are relevant to your insurance policy or claim. For example, if you make a claim, we may ask for medical information which relates to your claim;
- details about your criminal convictions or related information. This will include information relating to alleged offences; and
- any other information which is relevant to a claim that you make;
- Information relating to your insurance application where you apply for a policy via a comparison website or aggregator;
- Information from other parties involved in your insurance policy or claim.
How we’ll use your information
In limited circumstances, we may ask you for your written consent to allow us to process certain information. If we do, we will provide you with full details of the information that we would like and the reason we need it, so that you can choose whether you wish to give consent. You do not have to consent. It is not a condition of any contract with us that you agree to any request for consent from us.
How we make decisions about you
We may use automated systems to help us make decisions, e.g. when you apply for products and services, to make credit decisions and to carry out fraud and money laundering checks. We may use technology that helps us identify the level of risk involved in customer or account activity, e.g. for credit, fraud or financial crime reasons, or to identify if someone else is using your card without your permission.
If you are an insurance customer, we may use automated decisions to determine whether or not we can offer you insurance and at what price. We may base our decision on factors such as health, lifestyle and occupational information, as well as the level of cover being requested.
You may have a right to certain information about how we make these decisions. You may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Your rights’ section.
Tracking or recording what you say or do
To help keep you and your money safe, we will generally record details of your interactions with us. We generally record and keep track of conversations you have with us, including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of communication. We may use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We may also capture additional information about these interactions, e.g. telephone numbers that you call us from and information about the devices or software that you use. We use closed circuit television (CCTV) in and around our sites and these may collect photos or videos of you, or record your voice.
Compliance with laws and regulatory compliance obligations
We’ll use your information to meet our compliance obligations, to comply with other laws and regulations, and to share with regulators and other authorities that HSBC Group companies are subject to. This may include using it to help detect or prevent crime (including terrorism financing, money laundering and other financial crimes). We’ll only do this on the basis that it’s needed to comply with a legal obligation, it’s in our legitimate interests and that of others, or to prevent or detect unlawful acts.
Marketing and market research
We may use your information to provide you with details about HSBC products and services, and also products and services from our partners and other relevant third parties. We may send you marketing messages by post, email, telephone, text or secure messages. You can change your mind on how you receive marketing messages or choose to stop receiving them at any time. To make that change, please contact us in the usual way.
If you ask us not to send you marketing, it may take us a short period of time to update our systems and records to reflect your request, during which time you may continue to receive marketing messages. Even if you tell us not to send you marketing messages, we’ll continue to use your contact details to provide you with important information, such as changes to your terms and conditions or if we need to tell you something to comply with our regulatory obligations.
We may use your information for market research and to identify trends. Market research agencies acting on our behalf may get in touch with you by post, telephone, email or other methods of communication to invite you to take part in research. We won’t invite you to take part in research using a communication method if you’ve asked us not to get in touch that way. Any responses that you provide while participating in market research will be reported back to us anonymously, unless you give us permission for your details to be shared.
Who we might share your information with
The information that we share will depend on the purpose for which we share it.
The third parties we may share your information with are:
- other HSBC Group companies and any sub-contractors, agents or service providers who work for us or provide services to us or other HSBC Group companies (including their employees, sub-contractors, service providers, directors and officers);
- any trustees, beneficiaries, administrators or executors;
- people who give guarantees or other security for any amounts you owe us;
- people you make payments to and receive payments from;
- intermediaries or any other person you have authorised us to share your information with or to take instructions from such as Related Parties or any joint account holders or joint customer or your advisers (such as solicitors, accountants or financial advisers);
- any party to an agreement or transaction you, or people you have authorised, instruct us to undertake. This would include payment recipients in respect of bank transfers, the company or investment vehicle we make an investment in for you or the insurer who provides the insurance policy we take out for you;
- any parties we are authorised to make transfers of information to under a contract or agreement we have with you, or, where you are a Related Party, a contract we have with the Customer that you are a Related Party for. This may include fund managers, investment managers or advisers or asset managers where we advise on or manage investments, or asset managers, guarantors or other security or joint obligors where you or the Customer to whom you are related has a loan with us;
- any parties who reasonably need information to conclude those agreements or transactions we are instructed to undertake or we undertake in accordance with our contracts or agreements with you or the Customer you are related to. This would include any banks, card processing or payment processors, correspondent and agent banks in relation to any bank payments or transfers, any clearing houses, clearing or settlement systems, fund managers, investment managers, administrators or registrars involved in approving or confirming any investment we make on your behalf;
- if our relationship arises out of an insurance policy or claim, insurers, intermediaries and administrators in respect of the policy, parties who are involved in assessing or processing any claim under the policy such as loss adjusters, claims handlers, private investigators, experts and our advisers and, where relevant, medical experts and rehabilitation providers;
- other financial institutions, lenders and holders of security over any property you charge to us, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
- any fund managers who provide asset management services to you and any brokers who introduce you to us or deal with us for you;
- any entity that has an interest in the products or services that we provide to you, including if they take on the risk related to them;
- to the credit reference agencies and fraud prevention agencies as set out in this privacy notice and to law enforcement, government, courts, dispute resolution bodies, parties to relevant disputes, tax authorities, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
- any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
- law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
- other parties involved in any disputes, including disputed transactions;
- fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
- anyone who provides instructions or operates any of your accounts, products or services on your behalf, e.g. Power of Attorney, solicitors, intermediaries, etc;
- anybody else that we’ve been instructed to share your information with by either you, a joint account holder or anybody else who provides instructions or operates any of your accounts on your behalf;
- our card processing supplier(s) to carry out credit, fraud and risk checks, process your payments, issue and manage your card;
- if our relationship arises out of an insurance policy or claim, we will also share your information with:
- other parties involved in providing your insurance policy, such as the intermediary or the insurer who provides your policy;
- third parties involved in the administration of the relevant insurance policy or claim, including loss adjusters, claims handlers, private investigators, experts and our advisers; and
- (where relevant), medical experts and rehabilitation providers.
Sharing aggregated or anonymised information
We may share aggregated or anonymised information, within and outside of the HSBC Group, with partners such as research groups, universities or advertisers. You won’t be able to be identified from this information, e.g. we may share information about general spending trends in the Channel Islands and Isle of Man to assist in research.
How long we’ll keep your information
We keep your information in line with our data retention policy. For example, we’ll normally keep your core banking data for a period of ten years from the end of our relationship with you. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes, such as managing your account and dealing with any disputes or concerns that may arise.
We may need to retain your information for a longer period, where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.
If we don’t need to retain information for this period of time, we may destroy, delete or anonymise it more promptly.
Transferring your information overseas
Your information may be transferred to and stored in locations outside of the Channel Islands, Isle of Man and the European Economic Area (EEA), including countries that may not have the same level of protection for personal information as CIIOM and the EEA do. When we do this, we’ll ensure it has an appropriate level of protection (such as by use of standardised clauses authorised under law) and that the transfer is lawful. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests. In some countries the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we’ll only share your information with people who have the right to see it.
You can obtain more details of the protection given to your information when it’s transferred outside the Channel Islands, Isle of Man and the EEA by contacting us using the details in the ‘More details about your information’ section below.
Credit Reference Checks, Fraud and Money Laundering
Credit Reference Checks
- how you manage your bank accounts or credit;
- if you owe us money;
- if we have concerns about financial crime;
- if you haven’t kept up with your payments or paid off what you owe us (unless there’s a genuine dispute over how much you owe us), or if you’ve agreed and stuck to a repayment plan.
Fraud Prevention Agencies
We’ll carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide products and services to you. These checks require us to process personal information about you.
The personal information you provide or which we’ve collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity.
We’ll process personal information, such as your name, address, date of birth, contact details, financial information, employment details, and device identifiers e.g. IP address.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.
Fraud prevention agencies can hold your personal data for different periods of time. If they’re concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.
Consequences of Processing
If we, or a fraud prevention agency, have reason to believe there’s a fraud or money laundering risk, we may refuse to provide the services and credit you’ve requested. We may also stop providing existing products and services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services to you. The information we hold about you could make it easier or harder for you to get credit in the future.
To find out more about credit and fraud checks including our fraud prevention agencies and how they manage your information, read our ‘Guide to Credit Scoring, Credit Reference and Fraud Prevention Agencies’ leaflet. You can get it from our website, in any of our branches or you can request a paper copy by contacting us in your preferred way. To find out about CIFAS’ fraud databases and how CIFAS manage your information please visit www.cifas.org.uk/fpn.
What we need from you
You’re responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. If you provide information for another person (for example, a joint account holder, a beneficiary under an insurance policy or a dependant), you’ll need to direct them to this notice. If we need that person’s consent, we will ask you to confirm that you have obtained such consent.
How we keep your information secure
We use a range of measures to keep your information safe and secure, which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards, including obligations to protect any information and applying appropriate measures for the use and transfer of information.
More details about your information
If you’d like further information on anything we’ve said in this Privacy Notice, or to contact our Data Protection Officer, contact us at HSBC House, Esplanade, St Helier, Jersey JE1 1HS, addressed ‘for the attention of the DPO’.
This Privacy Notice may be updated from time to time and the most recent version can be found at www.ciiom.hsbc.com/privacy.
Appendix – How we process your information
We’ll use your information for purposes including:
- Assessing whether to provide you with new products or services: checking the information you have provided, verifying if you meet any relevant criteria in respect of that product or service and where we are providing you with advice, determining if the product or service is suitable for you. We’ll do this in order to allow us to consider whether to enter into an agreement with you;
- To deliver our products and services (including insurance): administer your accounts, or process your transactions. We’ll do this in order to perform our contract with you;
- Banking operations support: we’ll use your information to enable the provision and function of our banking services in line with regulation, laws and customer rights and interests, e.g. complaints management and exit management. The lawful reasons for processing these are legitimate interest, legal obligation and in order to perform our contract with you;
- To prevent and detect crime, including e.g. fraud, terrorist financing and money laundering: this will include monitoring, mitigation and risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification. It may include sharing your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. We’ll do this to meet our legal obligations to prevent or detect crime, because it’s in the public interest or in furthering our legitimate interest in managing risk in our business. We may be required to use your information to do this, even if you’ve asked us to stop using your information. That could include (among other things):
- screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
- investigating who you’re paying or who’s paying you, e.g. checks on payments into and out of your account and other parties related to those payments;
- passing information to relevant agencies if we think you’ve given us false or inaccurate information, or we suspect criminal activity;
- combining the information we have about you with information from other HSBC companies to help us better understand any potential risk;
- checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
- Risk management: we’ll use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk, traded risk, operational risk and insurance risk (e.g. for underwriting or claims management purposes). We’ll do this because we have a legitimate interest in ensuring that we carry out a proper risk assessment prior to providing credit, insurance or other finance;
- Online banking, mobile apps and other online product platforms: we’ll use your information to allow us to provide you with access to HSBC online platforms and mobile apps (e.g. the HSBC CIIOM Mobile Banking app). The platform may allow you to directly or indirectly communicate with us through mobile apps, such as using online banking, or applying for products and services online. The lawful basis for processing your data for this purpose are to perform our contract with you or our legitimate interests in offering services to you online in order to enhance the efficiency of your banking experience and our relationship with you;
- Product and service improvement: we’ll analyse your information to identify possible service and product improvements. Where we provide you with aggregated information services, we’ll use your information to understand how you use these products, which may include your transactional information from other financial institutions, to help improve our products and services. The lawful basis for processing your information for this purpose is our legitimate interest in improving our products and services to best meet the needs of our customers and in developing and growing our business;
- Data analytics for tailored services: we’ll analyse your information to identify relevant opportunities to promote products and services to existing or prospective customers. This may include reviewing historical customer transactional behaviour or comparison of customer activity. We do this to help us provide you with products and services we think will be of most relevance to you. The lawful basis for using your information in this way is our legitimate interest;
- Marketing: we’ll use your information to provide you with information about HSBC products and services, and also products and services from our partners and other relevant third parties. The lawful basis for this is our legitimate interest in ensuring that you are appropriately informed of the products and services that we can offer to you. We may need your consent to communicate by certain channels and we’ll always make sure we get this where we need to. You can change your mind on how you receive marketing messages or choose to stop receiving them at any time. To make that change, contact us in the usual way;
- Protecting our legal rights: we may need to use your information to protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. collecting money owed, enforcing or protecting our security or defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition. This may be in connection with action taken against you or other persons, e.g. joint borrowers or persons who give a guarantee or other security for your obligations to us. We’d do this on the basis that it’s in our legitimate interest;
- Resolving complaints: we may need to use your information to investigate complaints you, a Related Party or a person authorised to provide instructions or receive information in relation to products or services we provide to you makes. We will do this to comply with our legal obligations and on the basis of our legitimate interest in maintaining proper practice and efficiencies in meeting our legal and commercial obligations;
- Dealing with insurance products: if our relationship arises out of an insurance policy or claim, we will also use your information to:
- evaluate your insurance application and provide you with a quotation;
- handle or monitor any claims which you make or which arise under your insurance policy;
- where relevant, bring a claim against a third party; and
- apply for and claim on our own insurance policies.