Privacy Policy


Your personal privacy is of paramount importance to us at the North Group.

This privacy notice is intended to provide you with details of how we collect and use your personal data, as well as explaining your rights as a data subject,  in accordance with  UK Data Protection Legislation and Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (General Data Protection Regulation “GDPR”) .

Under the EU’s General Data Protection Regulation personal data is defined as:

‘Any information relating to an identified or identifiable natural person’

Who are we?

We are:

  • North of England Protecting and Indemnity Association Limited (Registered Number: 00505456)
  • North of England P&I Designated Activity Company (Registered Number: 628183)
  • North of England Insurance Services Inc. (Registered Number: 7008165)
  • Sunderland Marine Insurance Company Limited (Registered Number:  00016432)
  • North Group Services Limited (Registered Number: 03922891)
  • North Risk Services Limited: (Registered Number: 7277271)
  • North of England Marine Consultant (Shanghai) Ltd. Co. (Registered Number: 41000002201611180030)
  • NEPIA Trust Company Limited (Registered Number: 03225823)
  • Sunderland Marine Pension Scheme Trustees Limited (Registered Number: 07490490)
  • Trustees of North of England P&I Association Retirement Benefits Scheme

(Collectively referred to as the: North Group; we; us).  Our contact details can be found here.

Who is our Data Protection Officer?

Our Data Protection Officer is the Head of Group Compliance, who can be contacted at DPO@nepia.com or telephone on 0191 232 5221.


1.  What information do we collect about you?

As part of providing services to you we may collect personal data and special category data.

As a broker, intermediary or agent

For individuals who are employed or associated with a broker, intermediary, or agent

Personal data:

  • Names and titles
  • Address
  • Email address
  • Business contact details
  • Passport details
  • Bank account details

We need to collect this personal data from you to help in the administration of insurance contracts underwritten by us. In some cases we need to collect this personal data for relationship management purposes, to make payment of invoices and in the legitimate interests of our business.

In accordance with GDPR we have established the following lawful reasons for the processing of this data.

  • Necessary for the performance of a contract which you are a party to; or
  • Necessary for the compliance with a legal or regulatory obligation to which the Group is subject; or
  • Necessary for the purposes of the legitimate interests pursued by us in relation to the performance of insurance business, business development , relationship management purposes and keeping our records up to date; or
  • Necessary for the initial interests of the individual or another natural person.

We may also collect information from credit reference and fraud prevention agencies, and via insurance industry fraud prevention and detection databases and sanctions screening tools.

We may combine this with the information provided by you.

As a current and prospective member, or policyholder, or an individual associated with a member or policyholder; such as a skipper, crew member or ship owner

For current and prospective members, policyholders or individuals associated with a member or policyholder such as a skipper, crew member or vessel owner we may collect the following information:

Personal data:

  • Names and titles
  • Address
  • Email address
  • Date of birth
  • Bank account details
  • Passport details
  • Visa details
  • Identification number

Special category data

  • Details of illnesses or injuries, medical reports
  • Details of criminal convictions and offences

We need to collect this personal data from you, including information about your health or criminal records, to enable us to enter into or perform insurance contracts underwritten by us or otherwise to comply with legal obligations in relation to our insurance business. In some cases we need to collect this personal data for relationship management purposes, to make payment of invoices and in the legitimate interests of our business.

In accordance with the GDPR we have established the following reasons for the processing of this data.

  • In some instances, you will have provided your consent to the collection and sharing of this information;
  • Necessary for the performance of a contract which you are a party to;
  • Necessary for the compliance with a legal obligation to which the Group is subject;
  • Necessary to protect the vital interests of the data subject or of another natural person; or
  • Necessary for the purposes of the legitimate interests pursued by us in relation to fully assessing the insurance cover being provided, relationship management purposes, and keeping our records up to date.

Where we are required to collect and process personal data about you in relation to an insurance contract under which you are being provided with insurance cover, but you are not a party to the insurance contract, (for example an accident and sickness policy) we are able to do this using the insurance contracts exemption  provided for in Sch1, part 2, paragraph 20 in the Data Protection Act 2018 or otherwise as necessary to enable us to perform insurance contracts we have entered into in the legitimate interests of our business.

Special category and criminal conviction data

The Data Protection Act 2018 allows for the processing of special category and criminal conviction data for an insurance purpose in accordance with Sch1, part 2, paragraph 20.  This includes:

  • The processing of such data for advising on arranging, underwriting or administering of an insurance contract
  • Administering a claim under an insurance contract
  • Exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.

This is to the extent that the processing is not carried out for the purposes of measures or decisions with respect to the data subject and the data subject does not have and is not expected to acquire

  • Rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose relates, or
  • other rights or obligations in connection with such a contract.

The above information may also be provided to us from brokers, agents, intermediaries, correspondents, surveyors and professional advisors.

We may also collect information from publicly available sources, such as Companies House, credit reference and fraud prevention agencies, and via insurance industry fraud prevention and detection databases and sanctions screening tools.

Please note you may need to provide Bank Account details to Barclays Bank plc if you use the SMI online payment service.

We may combine this with the information provided by you.

As an individual involved in a claim, either as a member, policyholder, or an individual benefitting from a member or policyholder’s policy and any other interested party

In relation to an individual involved in a claim, either as a member, policyholder, interested party or an individual benefitting from a member or policyholder’s policy we may collect the following information:

Personal data:

  • Name
  • Address
  • Date of birth
  • Identification number
  • Bank account details
  • Passport details
  • Visa details
  • Wedding and birth certificates
  • Travel documentation

Special category data

  • Medical reports
  • Details of criminal convictions and offences

We need to collect this personal data from you, including information about your health or criminal records, to enable us to deal with the administration, processing, handling and settlement of claims made in respect of an insurance contract underwritten by us, and or to comply with legal obligations in relation to our insurance business. This personal data may also in some instances be necessary for the establishment, exercise or defence of legal claims.

In accordance with the GDPR we have established the following lawful reasons for the processing of this data.

  • In some instances you will have provided your consent to the collection and sharing of this information.
  • Necessary for the performance of a contract which you are a party to; or
  • Necessary for the compliance with a legal obligation to which the Group are subject; or
  • Necessary to protect the vital interest of you or another person; or
  • Necessary for the establishment, exercise or defence of a legal claim; or
  • Necessary for the purposes of the legitimate interests pursued by us in relation to the performance of insurance business, in particular the handling of claims.

Special category and criminal conviction data

The Data Protection Act 2018 allows for the processing of special category and criminal conviction data for an insurance purpose in accordance with Sch1, part 2, paragraph 20.  This includes:

  • The processing of such data for advising on, arranging, underwriting or administering of an insurance contract
  • Administering a claim under an insurance contract
  • Exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.

This is to the extent that the processing is not carried out for the purposes of measures or decisions with respect to the data subject and the data subject does not have and is not expected to acquire

  • Rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose relates, or
  • other rights or obligations in connection with such a contract.

We may process special category data where the purpose of the processing is to either prevent fraud or report suspicions of terrorist financing or money laundering (See Schedule 1, paragraphs 14 and 15 of the Data Protection Act 2018.

The above information may also be provided to us by brokers, agents, intermediaries, correspondents, surveyors and professional advisors.

We may also collect information from credit reference and fraud prevention agencies, and via insurance industry fraud prevention and detection databases and sanctions screening tools.

We may combine this with the information provided by you.

As an individual who currently receives or wishes to receive communications and updates from us

In relation to individuals who currently receive or wish to receive communications and updates from the North Group we may collect the following information:

  • Name
  • Address
  • Email address
  • Contact details

We need to collect this personal data from you to enable us to provide statutory communications to North Group members, to provide you with relevant industry information and in other cases for the purposes of business development and on-going management and development of business relationships.

In accordance with GDPR we have established the following reasons for the processing of this data:

  • Necessary for the compliance with a legal obligation to provide statutory communications; or
  • Necessary for the purposes of the legitimate interests pursued by us for relationship management, business development, providing information and best practice in relation to loss prevention and ensuring that our communications are appropriately targeted to our audience.

As an individual undertaking training and associated loss prevention activities organised or provided by us

In relation to individuals who wish to receive training organised by us we may collect the following information:

  • Name
  • Address
  • Date of birth
  • Email address
  • Contact details
  • Passport details

We need to collect this personal data from you to be able to arrange the training event and to be able to provide the learning and development you have requested.

In accordance with the regulation we have established the following lawful reasons for the processing of this data.

  • Necessary for the performance of a contract which you are a party to; or

Necessary for the purposes of the legitimate interests pursued by us for relationship management, business development, providing information and best practice in relation to loss prevention and ensuring that our communications are appropriately targeted to our audience.

As an individual who has applied or is considering applying for a role with the North Group

In relation to individuals who have applied or are considering applying for a role with the North Group we may collect the following:

  • Name
  • Address
  • National Insurance number
  • Proof of identity
  • Email address
  • Contact details
  • Curriculum vitae

Special category data

  • Details of ethnic origin
  • Details of disabilities
  • Details of criminal convictions and offences

We need to collect this personal data from you to enable us to progress your application for a role with us and for us to meet our legal obligations under applicable employment, health and safety and financial services laws and regulations. This may include sharing personal data with credit and background checking agencies.

In accordance with the GDPR we have established the following lawful reasons for the processing of this data:

  • In some instances you will have provided your consent to the collection and sharing of this information;
  • Necessary for the performance of a contract which you are a party to;
  • Necessary for the compliance with a legal obligation to which the Group are subject;
  • Necessary for the purposes of carrying out the obligations and exercising specific rights of the Group or yourself in the field of employment.

The processing of personal data relating to criminal convictions and offences is required to meet our regulatory obligations in respect of the employment of staff within a financial services organisation and is authorised by English  law.

We may also collect information from publicly available sources, such as Companies House, credit reference and fraud prevention agencies. We may combine this with information provided by you.

If you do not provide us with such personal data, we may not be able to progress your application for a role with us.

Visitors to North Group

In relation to individuals who visit North Group we may collect some or all the following information:

  • Name
  • Contact details
  • Address
  • Identification document details
  • Email address
  • Right to work information (if you will be temporarily employed by or providing services to North Group during your visit).

We operate CCTV in the reception area of North’s head office and Greek office, as well as in certain staff areas. We need to do this for security and safety reasons.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when necessary for the purposes of our legitimate interests.


2. Who do we share information about you with?

The sharing of personal data is required to support our business activities and to provide a service to you, along with ensuring that we meet applicable statutory or regulatory requirements.

We have detailed below a list of the type of recipients we may share information about you with as the specific recipients may change from time to time.

We do not share all information for all individuals with every third party and the list is subject to constant review and change. We will also not disclose your personal data to a third party unless we are satisfied that we either have your consent or there is a lawful reason for doing so.

If required a full list of the names of all parties that we share information is available from our Data Protection Officer (see details above).

List of recipients

  • Employees and directors of North Group who need access to the personal data to perform their role within the group.
  • Financial services regulators who oversee the activities of authorised insurance businesses.
  • Government agencies, public bodies or authorities who deal with taxation, such as HMRC.
  • Public bodies or law enforcement agencies who are concerned with anti- money laundering, anti-bribery, financial sanctions activity and disclosure and barring services.
  • Third parties as required under the relevant Insolvency Act requirements.
  • Corporate registrars who are legally required to hold certain company information.
  • Credit referencing and background checking agencies who provide credit, background and financial service checks.
  • Reinsurers involved with the reinsurance of North Group business.
  • Our corporate insurers if required under the terms of the policy placed with them.
  • North Group auditors and internal auditors.
  • Professional advisors such as lawyers, arbitrators, accounting firms, tax advisers and actuaries, who provide support in operating our business.
  • Brokers, intermediaries, agents, surveyors and correspondents who may provide initial and on-going support with our insurance business.
  • Our company bankers, custodians and investment managers who hold funds and/or make and receive payments on our behalf.
  • Website and internet service providers who provide support and hosting for our internet and intranet services.
  • Information technology (IT) support companies who provide day to day maintenance and support for our IT and database services.
  • Digital agencies who provide marketing and communication support.
  • Workflow management service providers.
  • Recruitment agencies who we may deal with during the recruitment process.
  • Printers and publishers who provide electronic and paper-based solutions for company publications.
  • Learning, development and training service providers.
  • Embassies who provide visa processing services for overseas travel or work abroad.
  • Current or prospective North Group members or policyholders.
  • International Group of Protection and Indemnity Clubs.
  • Software application and IT service providers who provide services to the Group.
  • Facilities and corporate travel suppliers.
  • Any company within North Group. For further information please click here.

3. Where do we send information about you to?  

North Group operates a number of branches and subsidiaries worldwide.  We may transfer information we hold about you to one or more of these locations (overseas transfer) if required to fulfil the purposes set out above.  We will only do this if one of the following conditions applies to the overseas transfer:-

  • it is necessary in order for us to perform a contract between you and us;
  • it is necessary in order for us to take measures to enter into a contract with you where you have requested us to do so;
  • it is necessary for us to establish, exercise or defend legal claims; or
  • If none of the conditions listed above apply, you have explicitly consented to the overseas transfer.

Unless you have specifically consented to the transfer, we will only transfer personal data outside the European Economic Area (EEA) where:-

  • We transfer the data to a country or international organisation which the EU Commission has decided ensures an adequate level of protection for your personal data;
  • the transfer of your personal data is subject to adequate safeguards, which may include binding corporate rules or standard data protection clauses adopted by the EU Commission; or
  • one of the derogations in the GDPR to transfer personal data outside the EEA applies.

4. How long do we store information about you for?

We are a regulated financial services entity and as such we are subject to prescribed retention periods in relation to personal data. We are also required to retain personal data to comply with limitation periods prescribed by law.

We operate a data retention policy for each jurisdiction in which we operate which sets out the specific periods we will hold information for and when we need to destroy information that we no longer require for legal, regulatory or commercial reasons.

Generally, our retention period will be up to six years. However, this may be longer in some instances for example dealing with a claim or for other jurisdictions.

Overall the criteria used to establish the period for which personal data will be stored is determined by regulatory or legal requirements. This is also supported by a North Group data retention policy which provides that such information must not be kept for any longer than necessary to fulfil the purposes for which it was collected. Further details are available from the DPO.


5. What are your rights?

You have the following rights:

  • Right of information – Controller must advise the data subject of how personal data is processed;
  • Right of access – request access to any personal data we hold about you;
  • Right of rectification -have any personal data which we hold about you which is inaccurate or incomplete rectified;
  • Right to be forgotten – have personal data erased in certain circumstances. This right does not apply, for example, where the processing is necessary (i) to comply with a legal obligation or (ii) for the establishment, exercise or defence of legal claims;
  • Right to restriction of processing – have the processing of your personal data restricted in certain circumstances. This right does not apply, for example, where we continue to use your personal data (i) for the establishment, exercise or defence of legal claims or (ii) to protect the rights of another;
  • Right of portability – to be provided with the personal data that you have supplied to us in a portable format that can be transmitted to another organisation without hindrance but in each case where (i) the processing is carried out by automated means and (ii) the processing is based on your consent or on the performance of a contract with you;
  • Right to object – object to certain types of processing, including processing based on legitimate interests, automated processing (which includes profiling) and processing for direct marketing purposes; and
  • Right to object to automated processing , including profiling -not be subject to a decision that is based solely on automated processing which produces a legal effect or which has a similar significant effect for you.

If you wish to exercise any of the rights set out above, you must make the request in writing to the Data Protection Officer (Details above). Please note some of these rights are restricted in some circumstances.

If you have provided your consent to any of the processing of your personal data, you have the right to withdraw your consent to that processing at any time. Please contact the Data Protection Officer if you wish to do so.

If you object to processing based on legitimate interests, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.


6. For individuals located outside of the EU

Australia

North Group is aware of and always seeks to comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 as amended by the Privacy Amendment (Enhancing Privacy Protections) Act 2012 (the Privacy Act) when managing and maintaining personal information in the course of its Australian business.

For the purposes of the Privacy Notice, “Personal Data” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not.

“Special Category Data” means information or an opinion about:

  • Racial or ethnic origin
  • Political opinions
  • Membership of political association
  • Religious beliefs or affiliations
  • Philosophical beliefs
  • Membership of a professional or a trade association
  • Membership of a trade union
  • Sexual orientation or practices
  • Criminal record that is also personal information
  • Health information about an individual
  • Genetic information about an individual that is not otherwise health information
  • Biometric information that is to be used for the purposes of automated biometric identification or verification, or
  • Biometric templates

If you have any specific questions regarding the manner in which North Group manages and maintains your Personal Information please contact us directly.

The North Group will only use and share the data we collect from you for the reasons described in “1. What information do we collect about you?” and “2. Who do we share information about you with?” We will not use your personal information for any other purpose without your consent, unless compelled to do so by an Australian Law, court or tribunal order, or enforcement body.

You may submit any questions or issues to the UK Data Protection Officer at DPO@nepia.co.uk who will respond within 15 days.

If we have not responded within 15 days or you are unhappy with the response you may submit a complaint to the Office of the Australian Information Commissioner at www.oaic.gov.au. The North Group will deal with the complaint in accordance with the requirements of the Privacy Act and the APPs.

A copy of the Sunderland Marine Insurance Company Limited (Sunderland Marine) Australian Privacy Statement can be found at www.sunderlandmarine.com/australia/privacy-policy

New Zealand

The North Group seeks at all times to comply with the New Zealand Privacy Act 1993 and Privacy Principles.

For the purposes of the Privacy Notice, “Personal Data” and “Special Category Data” relate to any information about an identifiable individual.

If you are in New Zealand, you may submit any questions or issues to the UK Data Protection Officer at DPO@nepia.co.uk who will respond within 30 days.

If we have not responded within 30 days or you are unhappy with the response you may submit a complaint to the Office of the Privacy Commissioner at www.privacy.org.nz

Singapore

For the purposes of the Privacy Notice, “Personal Data” and “Special Category Data” relates to data, whether true or not, about an individual (whether living or recently deceased) who can be identified:

  • From that data; or
  • From that data and other information to which the organisation has or is likely to have access.

If you are in Singapore, you may submit any questions or issues to the UK Data Protection Officer at DPO@nepia.co.uk who will respond within 30 days.

If we have not responded within 30 days or you are unhappy with the response you may submit a complaint to the Personal Data Protection Commission at www.pdpc.gov.sg

Japan

For the purposes of the Privacy Notice, “Personal Data” is information about a living individual which can identify a specific individual by name, date of birth or other description contained in such information.

“Special Category Data” includes information about a person’s race, creed, social status, medical history, criminal record, any crimes a person has been a victim of, and any other information that might cause the person to be discriminated against.

If you are in Japan, you may submit any questions or issues to the UK Data Protection Officer at DPO@nepia.co.uk who will respond within 30 days.

If we have not responded within 30 days or you are unhappy with the response you may submit a complaint to the Personal Information Protection Commission at www.ppc.go.jp

Hong Kong

For the purposes of the Privacy Notice, “Personal Data” and “Special Category” data is defined as:

  • Relating directly or indirectly to a living individual
  • From which it is practical for the identity of the individual to be directly or indirectly ascertained, and
  • In a form in which access to or processing of the data is practicable

Please note that the provision of such data is voluntary however the refusal to provide the data may limit North’s ability to provide the services requested.

If you are in Hong Kong, you may submit any questions or issues to the UK Data Protection Officer at DPO@nepia.co.uk who will respond within 30 days.

If we have not responded within 30 days or you are unhappy with the response you may submit a complaint to The Office of the Privacy Commissioner for Personal Data at www.pcpd.org.hk


How do I make a complaint to a supervisory authority?

Any breach of the GDPR / DPA will be taken seriously and if you consider that the data protection principles have not been followed in respect of personal data about yourself or others you have the right to lodge a complaint with the relevant data protection supervisory authority.

Our data protection supervisory authority is the United Kingdom’s Information Commissioner’s Office.  If you have any issues with our processing of your personal data and would like to make a complaint, you may contact the Information Commissioner’s Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

If you are located in Ireland our data protection supervisory authority is the Office of the Data Protection Commissioner. If you have any issues with our processing of your personal data and would like to make a complaint, you may contact the Office of the Data Protection Commissioner, Canal House, Station Road, Portarlingtron, Co. Laois or at info@dataprotection.ie.

Cookie Policy                                                                                                                

A cookie is a small file which asks permission to be place on your computer’s hard drive. For full details of our cookie policy please refer to our main internet site or click here.

Changes to the Policy

This Policy was last updated in August 2019. We reserve the right to make changes to this policy as required.

If you require this privacy notice information to be provided to you in paper form please contact:

Our Data Protection Officer, at DPO@nepia.com or telephone on 0191 232 5221.  


Collect and reference articles, publications and your own contacts list in your personal area.

  • Follow your interests
  • Access to more content
  • Connect with the relevant people
Register

Already registered? Log in