Privacy | RBS


Privacy

We understand our customers not only trust us with their finances, but also with their information.

So we take privacy and the protection of customer, client and staff data very seriously and our colleagues across the bank continue to work closely together to ensure the bank protects its customers' information. We endeavour to ensure we balance protecting customers' information while also giving them options as to how they want to share and access their information (for example, the ability to use third-party aggregation apps).

The bank has been working to deliver compliance with the new General Data Protection Regulation (GDPR), in preparation for the deadline on 25 May 2018. In addition, we are closely monitoring the impact of the Brexit negotiations on our privacy obligations, as well as cross- border data flows and are liaising with industry bodies as appropriate.

We continue to maintain a close and open working relationship with our privacy regulators, including the Information Commissioner's Office (ICO) in the UK. The bank engages with the ICO proactively, liaising with the regulator on key projects and developments.

We care about being transparent and ensuring our customers can access the information we hold about them. We have seen an increase in volume of Subject Access Requests compared to 2016, with the bank receiving more than 3.5 million from 1 January to 31 October 2017.  The vast majority of these were PPI  related information requests, an average of more than 372,000 per month (or 520 per month excluding PPI requests).

The statistics below show the number of Requests for Assessments (RFAs) that the bank has received from the ICO. We are pleased that the numbers, considering the overall size of our customer base remain very low, including in particular the number of complaints that are ultimately upheld by the ICO.

 

 

2016

(full year)

2017

(full year)

Total no of RFAs recieved

59

50

Number upheld

32

18

Uphold Rate %

54%

36%

 

Glossary 



General Data Protection Regulation (or “GDPR”)

The regulation contains the new regulatory framework which regulates the processing of personal data within the European Union, setting out the ways in which information about living individuals may legally be collected, used and handled.

Information Commissioner’s Office (or “ICO”)

The ICO is the UK’s independent authority, set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

There are equivalent regulators in other EU Member States.

PPI

Payment Protection Insurance is a type of insurance product that enables a customer to insure repayment of credit should the customer become unable to make payments (e.g. through illness or loss of employment).

Requests for Assessment (or “RFA”)

The ICO may issue a Request for Assessment to organisations if it has concerns about that organisation’s compliance with applicable data protection legislation (e.g. if a customer makes a complaint).

Subject Access Request ( or “SAR”)

A SAR is a written request from an individual to see information an organisation holds about them. Organisations must provide the information subject to very limited exemptions.  In the UK, organisations must currently provide the information within 40 days of receipt of the request and can charge a maximum of £10 to respond to such requests.

 

 

We welcome the changes to European data protection rules

We’ve setup a bank-wide plan to make all the changes we need by May 2018.

We’ll be changing the privacy notices we send to our customers:

  • They’ll be clearer.
  • They’ll give customers more choices for how we use their information.
  • They’ll be better suited to the different ways our customers engage with us – both in person and through our apps.

 

* A Subject Access Request is a written request from an individual to see information an organisation holds about them. Organisations must provide the information subject to very limited exemptions.  In the UK, organisations must provide the information within 40 days of receipt of the request and can charge a maximum of £10 to respond to such requests.
 
** The ICO may issue a Request for Assessment to organisations if it has concerns about that organisation’s compliance with applicable data protection legislation (e.g. if a customer makes a complaint).

 

Set Tab for lightbox