OneID® Individual Privacy Notice

OneID® Privacy Notice 

Update: Please read this privacy notice carefully as it has been updated with effect from 29 June 2023 to inform you about changes about how we collect and use personal information.

Overview

This privacy notice (and any other fair processing or privacy notice, such as cookie notices, that we may provide to you from time to time) explains the following in relation to your use of the OneID® service:

  • Who we are (and how you can check), and the data laws that govern us
  • How we collect and use information about you
  • What information we collect about you and what we store
  • How we keep it safe and secure
  • How long we keep it for
  • Why we may need to share it, and who with
  • International transfers of your information
  • Your rights to your information

 

Who we are

We are OneID Limited, a UK company whose mission is to help you prove who you are online in a safe and secure way, under your control and consent.

For the purpose of applicable data laws, we are the data controller of the personal information processed for the purposes set out below.

Further details can be found on our website.

How you can check who we are

Enabling trust online is at the heart of what we do, and that starts with us as a company.

We are registered with:

  • UK Companies House (company no. 11800511).
  • The Information Commissioner’s Office (ICO) as a data controller (reg. no. ZA741907).
  • The Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP, ref. no 928911)
  • The Age Check Certification Scheme (ACCS) as an Age Check Provider (certificate ref. AC-0013508)
  • United Kingdom Digital Identity & Attributes Trust Framework, as an Identity Service Provider (Certificate ref. 2022/03/SCH3)

Laws that govern what we do

We are committed to ensuring that your privacy is protected, and we comply with the relevant parts of the following laws:

  • Data Protection Act 2018
  • UK General Data Protection Regulation (UK GDPR)
  • other data protection rules, including marketing laws, together with associated guidance

We will only use your information if we have a legal reason for doing so, including:

  • where you have given consent;
  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party. A “legitimate interest” is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests; or
  • where your information is necessary for us to defend, prosecute or make a legal claim.

How we collect and use your personal information

OneID® is a service that enables you to securely share your personal data from your bank with a 3rd party organisation to access their goods or services (e.g. a retail website). We may also obtain your personal data from other trusted data sources such as credit reference agencies (acting as “Attribute Service Providers”) as a standalone source of data or where your bank does not hold or provide us with all the relevant information. There are three scenarios in respect of which we may process your personal information in relation to your use of OneID:

  • Whenever you use the service: The 3rd party’s systems will call the OneID service and, with your consent, OneID will then connect securely to your bank using Open Banking or to an Attribute Service Provider to collect the personal data you have consented to share (“Identity Data”), and we will then share your Identity Data with the 3rd Depending on the reason you are using OneID, we may store some of your Identity Data in an encrypted form which is only accessible by yourself (see What information do we store?). We use consent and ‘performance of a contract’ as the legal basis for this.
  • Account management: When you use the service your bank or the Attribute Service Provider sends us an identifier (“Bank Identifier”) which we then “hash” (using a computer algorithm) to create a unique (“OneID Identifier”). We do not retain the Bank Identifier and we cannot identify you from your OneID Identifier without going back to your bank to get your Bank Identifier. Each bank you use with our service will provide us with a different Bank Identifier, which will result in us creating a different OneID Identifier. This is the same for Attribiute Service Providers. We also create a separate OneID Identifier for each 3rd party to whom you send your Identity Data. This use of OneID Identifiers is an important measure we take to protect your privacy. We hold your OneID Identifiers in order to manage our own relationship with you and your further use of the OneID service. We use “performance of a contract” as the legal basis for this. We may also have to use your OneID Identifier to enable us to comply with legal requirements, and for operational reasons such as issue resolution and complaint handling and we use “compliance with our legal and regulatory obligations”, “legal claims” and “our legitimate interests” as the legal basis for this.

Also, when you use OneID we will collect limited usage data by reference to your OneID Identifiers (such as system logs) to enable the proper operation of OneID, to enable us to comply with legal requirements, and for operational reasons such as issue resolution and complaint handling (“Usage Data”). We use “performance of a contract”, “compliance with our legal and regulatory obligations”, “legal claims” and “our legitimate interests” as the legal basis for this.

  • Enquiries and Support: Generally speaking we do not expect to deal with you directly in person because, in the unlikely event that there is an issue with a transaction which you have concluded using the OneID service, you will most likely need to speak either to your bank or the 3rd party provider of goods/services to resolve it. However, if you do contact us directly via the “Contact Us” section of our website or using the contact details below, we will collect and hold the personal data you provide, and any other data we receive from or about you during subsequent related correspondence (“Contact Data”) and use it in relation to the matter in question. We use “performance of a contract”, “compliance with our legal and regulatory obligations”, “legal claims” and “our legitimate interests” as the legal basis for this.

What information do we collect about you?

In order to supply you with the OneID service, we will collect some or all of the following Identity Data from your bank or an Attribute Service Provider (in both cases, with your consent) and pass it on to the relevant 3rd party provider of goods/services:

  • name
  • address
  • date of birth
  • email address
  • phone number
  • bank sort code
  • bank account number

We may also collect information from your bank which relates to the type of account that you hold with them and characteristics of this type of account, such as whether your bank account has a credit/overdraft facility or whether it is a student account.

As mentioned above, we will also receive your Bank Identifier from your bank and we record your Usage Data against your OneID Identifiers.

If you contact us for any reason, the Contact Data we collect about you will depend largely on the reason for your contact, what data you decide to provide to us and what other data (if any) which we may need to collect in order to address your query but will, as a minimum, include your name/email address.

What information do we store?

We minimise the personal data that we do store to only that which is strictly necessary for us to provide the service (OneID Identifiers, Usage Data and in some cases Identity Data).

We aim to never store any of your Identity Data. As such, we will not store your Identity Data if it is possible to retrieve this directly from your bank and pass this straight to the relevant 3rd party. In this case we will not keep any copies. We will never store your Bank Identifier(s).

Where we are unable to retrieve all of the information necessary from your bank and depending on the reason you are using OneID, we may store some of your Identity Data (such as your address, date of birth, email address or mobile number). If we do store any of your Identity Data, we store this in an encypted form, which is only accessible by you (via a bank authentication), through a subsequent use of OneID.

We store the Identity Data, OneID Identifiers and your Usage Data so we can: provide a view of your Usage Data via a consent-management service when you next log in to OneID (via a bank authentication), where you can view the parties that you have shared your data with (a “Consent Console”); so that if you need to use OneID again, even for another 3rdparty, we will be able to confirm that your identity has been previously verified, so you do not have to keep repeating the process; and general account management services.

If we do ever receive Contact Data about you we will retain and only use it to address the matter in question.

How we keep your information secure

We have appropriate security measures to keep the information we hold about you (the OneID Identifiers, your Usage Data, your Identity Data and any Contact Data) safe and secure. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Any Identity Data we store is hashed and encrypted.  This process means that the encryption is only reversible, if you make a subsequent use of OneID and following a bank authentication. In order to identify you, we would need you to contact us with your OneID Identifier which we would need to pass to your Bank to identify you.  This Identity Data is not accessible in any other way.

How long do we keep your information for?

We will keep your transactional data (including your OneID Identifiers and Usage Data), and any Contact Data we hold, while we are providing services relating to you, and afterwards for 7 years in order to:

  • provide transactional information to you in the future where you request it via the OneID Consent console;
  • in order to meet our legal/regulatory obligations; and
  • address any matters about which you have contacted us directly.

We will not retain your personal information for longer than necessary for the purposes set out in this notice. When it is no longer necessary to retain your information, we will delete or anonymise it.

We will not use your information for marketing, or sell it

We will not use your personal information to provide you with marketing and promotional materials, and we will never sell and/or share your personal information with third parties for marketing purposes.

Why we may need to share your information, and who we might share it with

We may share your information with others where lawful to do so including where we or they:

  • have a legitimate business reason for doing so, e.g. to enable provision of the OneID service
  • have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud
  • need to in connection with regulatory reporting
  • help support operational processes such as trouble shooting and managing disputes/legal claims
  • have asked you for your permission to share it, and you’ve agreed.

We will share your Identity Data, with your consent, with 3rd parties with whom we have a contractual relationship, in order to provide account opening, authentication and age verification services to enable you to easily prove who you are or how old you are online. We will also share your OneID Identifiers with those 3rd parties in order to provide those services and to manage our relationship with you.

We may also share your information with others, including:

  • companies within our group;
  • our professional advisors (including, but not limited to, tax, legal and other corporate advisors who provide professional services to us);
  • other third-party suppliers, business partners and sub-contractors for business administration, support, IT purposes and hosting services;
  • our regulators, law enforcement or fraud prevention agencies, as well as courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters; and
  • HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations.

Transferring your information overseas

If we transfer personal information to countries outside the UK and/or EEA to countries which may not have the same level of data protection as the UK or EEA, we will only do so where appropriate safeguards are in place to enable us to legitimately and legally transfer data to them, such as: (i) transfers to countries with EEA/UK "adequacy" rulings; and/or (ii) where appropriate contractual (or other) arrangements are in place.

Your rights in relation to your information

You have various rights, including the following:

  • the right to be informed if your data is being used
  • to get a copy of your data (“right of access”)
  • to get your data corrected (“right of rectification”)
  • to get your data deleted (“right to erasure”)
  • the right to restrict processing (right to restriction)
  • the right to data portability (to any other third party, if reasonable)
  • the right to object to the use of your data

More detailed information about your data protection rights can be found at the ICO here. However, please note that because of the advanced privacy measures which we have built-in to the OneID service: (i) the rights listed above do not generally apply to your Identity Data because we do not keep copies of it, so you would have to contact your bank or the 3rdparties with whom you have shared your Identity Data to exercise your rights in respect of Identity Data; and (ii) because we cannot tell who you are from the OneID Identifiers we hold on our system, you will need to re-authenticate yourself with your bank (so that we can match your Bank Identifier to your OneID Identifier(s)) in order for us to confirm your identity and then assist you with your rights in relation to OneID Identifiers and Usage Data.

How to contact us

If you would like more information or have questions about this privacy notice or your rights in relation to your information, please contact us via email or letter to:

  • DPO@oneid.uk
  • 29 Wood Street, Stratford-Upon-Avon, England, CV37 6JG

If you have a concern about your data, please contact us first to help you resolve it. The ICO provides some guidance on how to do this here.

Changes to this privacy notice

We may change this privacy notice from time to time; when we do, you will be able to see the updated version when you next use OneID and also on our website here.