-
You're in safe hands
Most banks only guarantee your savings up to £85,000. We’re the only provider that secures 100% of your savings, however much you invest.
-
Trusted by millions
We're backed by HM Treasury and we've been helping people save for over 160 years. Today, over 24 million customers save with us.
-
The home of Premium Bonds
We created Premium Bonds and you can only get them from us. Open an account and you could win big in our monthly prize draw.
Privacy notice
When you apply to save or invest with us, we ask you to give us some of your personal details so that we can open and administer your account. We are committed to keeping all the information we hold about you secure, private and confidential.
This page explains why we need to collect your personal details and what we do with them. It also sets out the legal bases on which we collect and use your information and outlines the rights you have under current data protection legislation.
If you are a financial adviser please go to:
If you are a prospective NS&I employee please go to:
Prospective NS&I employee privacy notice
Downloadable version
This version of the privacy notice can be used with screen-reading software.
How we use your information
-
We’ll ask for your full name (title, forename(s) and surname), date of birth, postal address, phone number, email address and nominated bank account details. We ask for your bank details so that we can make payments to you, for example when you make a withdrawal or win a Premium Bonds prize. When you’re making a deposit by debit card, we’ll need your card details. And when making a cheque deposit to open an account, we’ll ask for details of the account on which the cheque is drawn.
We need this personal information so that we can provide you with the accounts or services that you have asked for. We also need some of this information to meet our legal obligation to check your identity, address and source of funds. If you don't provide it, then we may not be able to provide you with our accounts or services.
-
We’ll collect them when you apply to open an account through our website, by phone or by completing a form and posting it to us. We’ll also collect some of your details whenever you make a transaction or contact us about your accounts. This can be online, by phone, by post, by email or secure message, through social media, or when you use our apps or our online Premium Bonds prize options service.
-
Our website, and the emails we send out, use cookies and other tracking technologies to collect information. When you visit our website, you can choose to accept/decline or manage cookies, but our online application forms and other processes need to use cookies to work properly. You can find out more about our use of cookies by clicking the link to ‘Cookies’ at the footer of each web page.
Tools, such as calculators, do not store the information you enter. We may track the number of visitors to the website, but this tracking will not personally identify you.
We use cookies to collect information on website usage, and to enable some of the website's services. When you use our websites or apps, we collect information such as the browser you are using and the date, time and your IP address (a label used to identify your device on the internet).
We also collect information about the types of devices being used. This helps us to identify your trusted device(s) when you log in to your online account using two-factor authentication.
Social media
We use social media, for example, Twitter and Facebook, to communicate with you. We also use posts on social media to find out how people view our products and services and have established an online research community - see below. By engaging with us on social media you accept the following:
We monitor social networks for comments about NS&I and our products and services. We do this for training purposes and to help improve our products and services and to respond to your enquiries. Any comments or posts may be used for internal or external publication by NS&I or any organisation working on our behalf for these purposes.
Remember, your social network posts are not private and may be read by the general public. We’ll never ask you to post personal information or NS&I account or security information on social networks and you should never do so. This includes private messaging, with the exception that we may on occasion ask you to provide your name and telephone number privately to allow us to help you further outside the social median channel.
NS&I accepts no responsibility for any personal data you post to social networks or websites. They may store your personal data outside the UK/EU or in the US. Please read their privacy policies carefully.
Online Research Community
NS&I has commissioned Explain Market Research (EMR) to manage an online Research Community. EMR only collect the minimum amount of personal information necessary to set up and manage your account and the Community. If you want to see the EMR privacy notice, click the link below.
Explain Market Research Privacy Notice
Any personal data you provide to EMR when you join the online research Community, such as your name and email address, cannot be accessed by NS&I. Any contribution made on the Community, such as commenting on posts or creating discussions, can be seen with your Community username attached by other members of the Community, including NS&I staff members.
We strongly recommend that you choose a username which is not linked to your own name, and that you do not include any personal information in your postings that can identify yourself or others, including full names, addresses, home or mobile phone numbers, passwords, credit card numbers, copies of private emails or messages and any private images of yourself. We also advise against posting links to your blog, Facebook page, Twitter account or similar online accounts.
If you have any questions or concerns about NS&I’s online Research Community you can contact us at:
-
When you give us details about someone else, for example when you apply to open a joint account, you must have their agreement to do so.
-
The main reasons we use your information are to open and administer your account(s), process your deposits and withdrawals, and keep you up to date with information about your account(s).
We may also use your information to:
- meet our legal obligation to check your identity, address and source of funds
- prevent or detect fraud or other crime
- develop, test and improve our products, systems and services, including our website
- invite you to take part in market research and surveys
- carry out anonymous statistical analysis (we won’t be able to identify individuals when we do this)
- create customer-type profiles to help us improve existing products and services, and develop new ones
- send you marketing messages about NS&I accounts which may be tailored to your circumstances (unless you have opted out)
- run competitions, events and promotional activities
- send you important service messages about your accounts
- notify you of any Premium Bonds prizes
When you call us, we may monitor or record your call for a number of reasons, eg:
- Contractual – so we have a record of what was said regarding your savings and investments.
- Legitimate interests – for staff training, or quality assurance, dispute resolution and fraud prevention and detection.
- Consent – so that we have a record of consent when a customer allows us to talk to a member of your family on your behalf.
For more information about these purposes, see the Lawful Bases section below.
-
We use selected organisations to help us deliver the service we provide to you. We may share your personal information with:
- our service providers who provide data processing services to us, for example helping to administer your account and investments, printing and sending warrants and statements to you, and sending you post and emails about your accounts and carrying out and supporting our market research. We only share the information that's necessary for them to provide their services
- Regulators such as the Financial Ombudsman Service (FOS) or the Information Commissioner’s Office (ICO)
- Credit reference agencies to check your identity, address and source of funds, and to prevent fraud
We may also share your information with government bodies, law enforcement agencies, courts or other third parties to comply with our legal obligations or lawful disclosure requests, for example.
You can also ask us to share your information with anyone else, for example a financial adviser.
-
We keep personal information we collect from you where we have an ongoing legitimate need to do so (for example, to provide you with the accounts you have opened or to comply with legal, financial, tax or accounting requirements). We keep your personal information for seven years in line with industry best practice and in accordance with the Limitation Act 1980.
We keep records of Premium Bonds holdings for longer than seven years. This is to allow us to reallocate prizes where we discover that one or more prizes paid out were not valid. This can happen, for example, when a Bond holder dies but no one tells us.
Your rights in relation to data retention include:
- The right of access.
- The right to rectification – unless the data form part of a historical record that was correct at the time they were collected or used.
- The right of erasure – only applies where we are holding your personal information beyond our statutory, regulatory or legitimate timescales.
- The right to data portability – only applies where the data has been collected under consent or contractual purposes.
- The right to object – only applies where the retention is based on the grounds of public interest or NS&I’s official duty, or its legitimate business interests, unless we can demonstrate compelling legitimate grounds for the retention to continue in line with statutory or regulatory timescales.
Plus:
- The right to lodge a complaint with the Information Commissioner’s Office (ICO).
- The right to a judicial review.
- The right to receive compensation.
- The right to representation by a not-for-profit body to lodge complaints and seek a judicial remedy on your behalf.
For more information about your rights, see the Your Rights section below.
Personal information, held by the NS&I research team in order to conduct market research activities may be kept for up to 2 years after the completion of the project. This is so we can carry out further anonymous statistical analysis (we won’t be able to identify individuals in the analysis). Please rest assured your survey responses will not be used for marketing or sales purposes or disclosed to anyone not connected to the survey activity.
Where you have provided personal information to a research agency undertaking research on behalf of NS&I, you may also refer to that agency’s privacy notice, which we will provide as a link.
-
We keep records of Premium Bonds holdings for longer than seven years. This is to allow us to reallocate prizes where we discover that one or more prizes paid out were not valid. This can happen, for example, when a Bond holder dies but no one tells us.
Each month we publish the winning Premium Bonds numbers on our website, together with the value of the prize, the value of the holding, the date the Bond was bought and the area where the Bond holder lives. We do not publish the names or other details of Premium Bonds winners.
-
In some circumstances, your information is processed outside the UK and Europe, to process transactions, correspondence or in the course of our 3rd parties’ activities. These countries may have data protection laws that are different to those in UK and Europe, which may be less protective. In these cases we will ensure that your information is processed in line with the data protection law in the UK and Europe.
For example, our operational partner carries out some ‘back-office’ administration for us in India. They have in place ‘Binding Corporate Rules’ (contractual obligations) which require them to process your information in line with UK and European data protection law. If you want more information, please contact us.
-
We will give you information about your accounts and provide regular statements. If we need to get in touch, we will call you, write to you by email or letter, send you a text message, or contact you through our online service.
In the event of a data breach that could lead to a high risk to your rights and freedoms, for example the risk of financial loss, we will let you know without undue delay.
To make sure you can receive information and communications from us and to prevent your details being accessed by someone else, please make sure you tell us whenever you change your name, address, phone number, email address or nominated bank account. Giving us your most up to date details will also help protect your account(s) by making sure any information we send you doesn’t fall into the wrong hands.
You can update your details online or by contacting us.
-
From time to time we may update this privacy notice. If we make a significant change to how we use your information, we will let you know in advance.
-
If you have a question, sometimes it’s not convenient to call. That’s one reason we’ve introduced web chat – our online instant chat service. When using our web chat, we may ask for your name and the reason for the chat. We may also invite you to take part in an optional short survey after your web chat has finished.
We can only help with general queries via web chat and are unable to access your account during a web chat session. We will not ask you to provide any personal identifiable information, such as your full name, data of birth, email address or account information.
We keep a copy of chats for one year for staff training and quality assurance purposes but this will not be linked to your account or be searchable due to the absence of personal or account information. However, if you wish, you can save your own copy of the chat by using the copy & paste function on your device to save in a document or notepad for your records.
-
At NS&I we’re committed to making it easier for customers to know if their Premium Bonds have won any prizes. That’s why we introduced our Premium Bonds prize checker voice applications, so you can find out if you have won any prizes through a voice-enabled device such as Amazon Alexa.
By using our voice applications, you acknowledge that your data will be processed in line with this privacy notice.
The applications require your NS&I number or Premium Bonds holder’s number, or the NS&I number or holder’s number of any friends or family who want to use the voice application to check their Premium Bonds prizes. You will need to assign a name or nickname to each number you provide, to make it easier to know whose Premium Bonds you are checking. The numbers and names/nicknames you provide will be stored on the systems that run the application. If you provide someone else’s number(s) on their behalf, you must have their permission.
The voice applications do not need any other personal data.
We may store the commands and phrases you use to interact with the applications, and we may use them to improve the service. Your voice input will also be recorded and processed by your voice device provider. If your voice input contains any personal data these will also be recorded by your provider. Please see their privacy policy to find out more about how they collect and use your data.
Please be aware that the voice applications will respond to anyone who has access to your device and NS&I number, holder’s number or name/nickname. They will read out prize winnings, including high value prizes, regardless of your location, meaning that other people nearby may overhear this. For this reason, please be careful where and when you use the voice applications.
-
We offer two mobile apps – the Premium Bonds prize checker app to allow you to check if you’ve won any prizes, and the NS&I app to let you check your balances and transactions.
Like most other apps we collect anonymous data on how you use our apps in order to make improvements and fix any issues that may occur. Cookies and similar technologies last for different lengths of time depending on the job they do. Some last for the length of your online session and are removed automatically from your device when you leave the app and others last for a specific period of time.
You can specify the data categories (described below) you agree to us collecting by managing the data in our apps:
Strictly necessary
These help us ensure that the app can function properly, for example to verify your identity, help keep our apps secure and help us detect fraud or crime. They allow you to navigate our apps and use the core services and features we provide.
We don't have to ask for consent to store these on your app.
Name Purpose Provider Lifespan Type AUTH_SESSION_ID Mandatory technical purpose usage for the proper functioning of the application Worldline Session HTTP Cookie AUTH_SESSION_ID_LEGACY Mandatory technical purpose usage for the proper functioning of the application Worldline Session HTTP Cookie JSESSIONID Mandatory technical purpose usage for the proper functioning of the application Worldline Session HTTP Cookie KEYCLOAK_IDENTITY Contains a token (JWT) with the user ids and helps manage user's browsing session across the app Worldline Session HTTP Cookie KEYCLOAK_IDENTITY_LEGACY Manage legacy issues and helps manage user's browsing session across the app Worldline Session HTTP Cookie KEYCLOAK_SESSION Contains different session information and helps manager user's browsing session across the app Worldline 7 days HTTP Cookie KEYCLOAK_SESSION_LEGACY Manage session legacy issues and helps manager user's browsing session across the app Worldline 7 days HTTP Cookie NSI_COOKIE_STORAGE Mandatory technical purpose usage for the proper functioning of the application Worldline Session HTTP Cookie KC_RESTART Mandatory technical purpose usage for the proper functioning of the application Worldline Session HTTP Cookie Authorisation Used as part of the security mechanisms to protect access to customer accounts NS&I 1 Day NSHTTPCookie XSRF-TOKEN Used as part of the security mechanisms to protect access to customer accounts NS&I Session NSHTTPCookie anonymousUserid Used as part of the security mechanisms to protect access to customer accounts NS&I 1 Year NSHTTPCookie Utag_main Used to identify the customer across the app to allow their cookie consent preferences to be respected Tealium 1 Year NSHTTPCookie CONSENTMGR Used to store the cookie consent preferences Tealium 3 Months NSHTTPCookie
Analytics
This helps us understand how users use our apps, for example which screens are accessed the most often, the time spent in the apps, which model of phones are being used to access the apps, and the number of users we have. No data is collected which would allow us to identify a user – all information collected is aggregated and therefore anonymous.
Name Purpose Provider Lifespan Type FPC Used to aid the collection of statistics on the number of visits a customer makes to the app, which screens are viewed and how customers spend time on the app Oracle Infinity 2 Years NSHTTPCookie
Technical errors
This informs us if the apps aren’t working as expected or if they crash. It allows us to investigate any issues that may occur in order to improve the app and fix any problems.
The legal background and your rights
Here we summarise the lawful bases on which we collect and use your information and outline the rights you have under current data protection legislation.
-
We are allowed to use your personal information for a range of reasons, called ‘lawful bases’. These are:
Contract
We need to collect and use your personal information to be able to provide you with the savings account(s) that you want to open and use. We cannot provide the service if you don’t give us the information we ask for.
Legal obligation
We may need to use your personal information to meet our legal obligations, for example if we need to check your identity, address and source of funds to comply with the Money Laundering Regulations.
Legitimate interests
We have a legitimate interest in promoting our accounts and services. For this reason, we may use your personal details to, for example, send you marketing information about our own accounts or services that we think you may be interested in. We may also invite you to take part in research or surveys to help us improve the products and services that we offer. You can ask us to stop sending you marketing and/or research invitations at any time.
Consent
We only rely on consent as a lawful basis for using your personal information in a few limited circumstances, for example if you want us to share information with your financial adviser or nominated representative. You can withdraw your consent at any time, and we make it as easy to withdraw consent as it is to give it.
Public Interest/Official Authority
There are times when we need to share information with other government bodies to allow them to meet their legal obligations, for example where HM Revenue & Customs need to know how much gross interest you have earned during a tax year.
-
You have a range of data protection rights in relation to the information we hold about you. You can exercise any of these rights by contacting us. Note that not all of the rights are absolute – some of them depend on which lawful basis we are using to process your information.
Right to be informed
You have the ’right to be informed’ about the processing of your personal data, in addition to other information necessary for how we process your data in a fair and transparent way. We use this privacy notice, as the main way of providing you with ‘privacy information’. We provide you with this information at the time we collect your data or, if we obtain your data from another source (for example where a grandparent completes a Premium Bonds application form for a child and gives details of the child’s parent), then we will provide this privacy information within one month, usually as part of a ‘welcome pack’. You can contact us if you need further information. This right to be informed applies to data processing for any of the purposes listed in the lawful bases section.
In some circumstances, we do not have to provide this information. For example where:
- you already have the privacy information and nothing has changed
- giving you the privacy information is impossible or would require ‘disproportionate effort’, or
- giving you the privacy information would make it impossible to use your data or seriously damage the reasons for its use.
Right of access
You have a right to receive a copy of your personal information, this is known as a ‘right of access’. If you are concerned about the way NS&I collects and uses your personal data, you can make a data subject access request and we will send you a copy of the information we hold about you. This is another way for you to be informed of which personal data we hold and how we use it, in addition to this privacy notice.
When we reply, you will receive:
- confirmation that we are processing your personal data;
- a copy of your personal data; and
- other supplementary information (largely corresponding to the information that you may find in our privacy notice).
You can make a subject access request verbally or in writing. The Information Commissioner’s Office recommends that if you make your request verbally, you should follow it up in writing to provide a clear trail of correspondence and help explain what information you are asking for.
If you want to make a subject access request via social media your request will be public and we do not recommend its use. If we are unable to identify you in this way, you will still need to send us the same details that the form below requires, preferably by a more secure channel.
This right applies to data processing for any of the purposes listed in the lawful bases section, but in some cases (for example market research or statistical data) where we are not able to identify you, we would not be able to provide you with that information.
You can download and print a data subject access request form or contact us with all the information we ask for on the form.
Download a data subject access request form
Right to data portability
Where we process your personal information by automated means for contractual purposes, or with your consent, you can ask us to provide a copy of the information we hold about you in a structured, machine readable format (for example a CSV file). You also have the right to ask us to transfer your data to another organisation but only where this is ‘technically feasible’. This is known as the ‘right to data portability’.
This right only applies to personal data:
- held electronically, and
- that you have provided to us.
Data you have provided does not just mean information you have typed in, such as a username or email address, but may also include data we hold in relation to your use of an account or service. This may include:
- website or search usage history
- payments in or out of a savings account.
Where we process your personal information by automated means for contractual purposes, or with your consent, you can ask us to provide the information we hold about you in a structured, machine readable format (for example a CSV file).
Right to rectification
You have the ‘right to rectification’ of your personal information. You have the right to have information we hold about you corrected where it is incorrect or out of date, and completed where it is incomplete. We occasionally contact customers to improve the quality and completeness of the data we hold, but we rely on you to let us know if your circumstances or details have changed (for example if you change your name or address).
If the information we hold about you is incorrect, out of date or incomplete, please let us know and we will put it right. You should:
- state clearly what you believe is inaccurate or incomplete
- explain how we should correct it, and
- where available, provide evidence of the inaccuracies.
While this right applies to data processing for any of the purposes listed in the lawful bases section, there may be some cases where we would not need to rectify your data (for example if we test our systems or services using ‘scrambled’ data to partially obscure your identity, that scrambling is intentional and will not affect the data we hold as part of your customer record). If we are satisfied that the personal data we hold are accurate, we will tell you that we will not be amending the data. We will explain our decision, and let you know of your right to make a complaint to us. You may then complain to the ICO or to seek to enforce your right through a judicial remedy.
There are some cases where rectification would not be possible, for example where we have anonymised your personal data for market research purposes or statistical analysis. In these cases it would not be possible to identify your data, and we would be unable to verify its accuracy or restrict its use or delete it.
You can download and print a right to rectification form or contact us with all the information we ask for on the form.
Download a Right to rectification form
Right to restrict processing
You can limit the way NS&I uses your personal data if you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop NS&I deleting your data. Together, these opportunities are known as your ‘right to restriction’.
Like the right of access, this right applies to data processing for any of the purposes listed in the lawful bases section, unless we have anonymised your personal data (for example, for market research purposes or statistical analysis). In these cases it would not be possible to identify your data in order to restrict its use.
You can ask us to temporarily restrict the use of your data when we are considering:
- a challenge you have made concerning the accuracy of the data we hold, or
- an objection you have made to the use of your data.
You may also ask us to restrict the use of your data rather than delete it if:
- we have processed your data unfairly or unlawfully but you do not want it deleted, or
- we no longer need your data but you want us to keep it to create, exercise or defend a legal claim.
There are some cases where restriction would not be necessary, for example:
- we have your consent to continue processing your data
- the data are needed for legal claims
- the data are needed to protect another person’s rights, or
- its use is for reasons of important public interest.
Right to erasure
You can, in some circumstances, ask us to delete personal data that we hold about you. This is known as the ‘right to erasure’, also known as the ‘right to be forgotten’.
This right applies to data processing for any of the purposes listed in the lawful bases section, where:
- we no longer need the personal data for the purposes for which we originally collected it, or
- the processing is based on your consent and you have withdrawn your consent, or
- you have objected to the processing and we do not have any overriding legitimate reason to continue the processing, or
- we are processing your personal data for direct marketing purposes and you object to that processing, or
- we have unlawfully processed the personal data, or
- we have to erase the personal data to comply with a legal obligation in UK law.
Most of our processing is governed by contractual, statutory or regulatory purposes, and these purposes often dictate how long we need to keep your personal data for. Please see our ‘How long do you keep my information for’ section of this privacy notice.
The right to erasure does not apply if we need to process your data for one of the following reasons:
- for exercising the right to freedom of expression and information;
- when we are legally obliged to keep hold of your data;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- when erasing your data would prejudice scientific or historical research, or archiving that is in the public interest; or
- when keeping your data is necessary for establishing, exercising or defending legal claims.
There are some cases where we would be unable to comply with your erasure request, for example, where we have anonymised your personal data for market research or statistical analysis. In these cases, it would not be possible to identify your data, and we would be unable to comply with your right to erasure.
If, having considered your request, we decide not to erase your data, we will still reply to you and explain why not, and let you know about your right to make a complaint to us. You may then complain to the ICO or seek to enforce your right through a judicial remedy.
Download a Right to erasure form
Notification of Rectification, Restriction, or Erasure
We will tell each third party, to whom your personal information has been disclosed, about any rectification or erasure of personal data or restriction of processing carried out, unless this proves impossible or involves disproportionate effort. If you want us to confirm that we have done this, please let us know.
Right to object
Where we are processing your personal information for the performance of a task carried out in the public interest or in the exercise of our official authority or where we have a legitimate interest in doing so, you can object to the processing, based on your particular situation, on the grounds that it is causing you damage or distress (for example financial loss), or where it impacts on your fundamental rights and freedoms, and you’d like us to stop. You must clearly state the specific reasons for your objection, based on your particular situation.
If we agree to your objection, we will stop using your data for that purpose unless we can give strong and legitimate reasons to continue using your data despite your objections. You have an absolute right to object to us using your data for direct marketing (in other words, trying to sell things to you). This means we will stop using the data for this purpose without seeking a legitimate reason to continue.
Before objecting you will need to know which lawful basis we are relying on (see the lawful bases section). This is because you can only object to processing when we are using your data:
- for a task carried out in the public interest
- for a task carried out in the exercise of our official authority
- for our legitimate interests
- for scientific or historical research, or statistical purposes, or
- for direct marketing.
Generally, the reason we process your personal data will determine whether or not you can object. However, there are some cases where we would be unable to comply with your objection, for example where we have anonymised your personal data for market research or statistical analysis. In these cases it would not be possible to identify your data, and we would be unable to comply with your right to object.
We can refuse to comply with your objection if we can prove we have a strong reason to continue processing your data that overrides your objection, or where the use of your data is for a legal claim.
You can download and print a right to object form or contact us with all the information we ask for on the form.
Download a Right to object form
Right not to be subject to automated decision-making
Some of our processes are partly or wholly automated, but we don’t make decisions that have a significant or legal effect without human involvement. For example, we may check your evidence of identity electronically, but if this is unsuccessful we will write to you to ask for documentary evidence instead.
When decisions are made about you without people being involved, this is called ‘automated individual decision-making or ‘automated processing’ for short and includes some profiling.
You have the right not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (for example automatic refusal of an online credit application, and e-recruiting practices without human intervention).
We do not make decisions based solely on automated processing. Where automated decisions may be made, these are usually:
- necessary for the purposes of a contract between you and NS&I
- authorised by law (for example to prevent fraud or tax evasion), or
- based on your explicit consent.
In these cases, there is always some form of human intervention at the decision stage and we offer the following additional rights:
- to understand the reasons behind decisions made about you and the possible consequences of the decisions, and
- to object to profiling in certain situations, including for direct marketing.
Nevertheless, we still comply with the UK GDPR principles and we have explained our lawful bases for processing your personal data. We also have processes in place so that you can exercise your rights, as explained in this privacy notice.
Right to lodge a complaint with a supervisory authority
If you have a complaint about the way we have used your information, please contact us first and we will do our best to put things right for you. If you’re not happy with our response, you can escalate your complaint to the Information Commissioner’s Office (ICO) – see the end of this privacy notice for their contact details.
Additional rights
You also have the right to a judicial review where you consider that your rights under the data protection legislation have been infringed, or as a result of us processing your personal data in non-compliance with the legislation.
Where you have suffered material or non-material damage as a result of an infringement of the data protection legislation, you have the right to receive compensation from us for the damage suffered.
Additionally, you have the right to representation, to mandate a not-for-profit body, organisation or association to lodge a complaint with NS&I, or with the ICO, to seek a judicial review and receive compensation on your behalf where allowed for by the Data Protection Act 2018.
Where we can refuse
We can refuse to comply with your data subject rights request if we can prove we have a strong reason to continue processing your data that overrides your objection, or where the use of your data is for a legal claim, or where the data has been anonymised or scrambled and we are not be able to identify it as your data. We can also refuse to comply if we believe that your request is ‘manifestly unfounded or excessive’ or repetitive in nature. In all these cases, we will explain our decision, and let you know of your right to make a complaint to us. You may then complain to the ICO or to seek to enforce your right through a judicial remedy.
Of course, we cannot refuse your request to stop sending you marketing communications.
How to exercise your rights
You can do so at any time by contacting us using the details shown below.
Useful contacts
Data protection questions
NS&I is the data controller of the information we hold about you. If you have any questions or concerns about how we process your information, you can contact us or write to:
Data Protection Officer
NS&I
16-20 Sanctuary Buildings
Great Smith Street
London
SW1P 3BT
-
You can find out more about data protection and the rights you have by contacting the independent Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF0303 123 1113
Frequently asked questions
-
The UK General Data Protection Regulation (UK GDPR) and the new Data Protection Act 2018 (DPA18), both came into effect on 01 January 2021 following the UK’s departure from the EU. They sit alongside the original (EU) GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). All are collectively known as the UK’s Data Protection Legislation.
-
The UK General Data Protection Regulation (UK GDPR) is a revised version of the (EU) GDPR, and came into effect on 01 January 2021 when the UK left the EU. It covers the processing of personal data by a controller or a processor established in the United Kingdom and sits alongside the UK’s current Data Protection Legislation (see above).
-
The new DPA18 sets out the framework for data protection law in the UK and has been updated to reflect the changes made as a result of the UK leaving the EU on 31 December 2020. It updates and replaces the previous DPA2018, and came into effect on 01 January 2021.
It sits alongside the UK GDPR, and modifies how the GDPR applies in the UK - for example by providing exceptions and exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.
-
Yes, it was. We have always been committed to keeping your personal information safe, secure and confidential, and we previously complied with the Data Protection Act 1998. We now comply with the new data protection legislation (UK GDPR and the new DPA 2018 and PECR), which gives you even more control over your information.
-
You already have a number of rights relating to the information we hold about you. The new data protection legislation is designed to strengthen those rights and make it easier for you to access your data and exercise your rights.
-
Once the UK left the EU, the UK GDPR took effect and the DPA2018 was updated under the European Union (Withdrawal) Act 2018, with some technical changes to make them both work more effectively in a UK context – as the UK GDPR and the new DPA18. The EU GDPR still applies to controllers and processors that operate in, or process personal data of individuals within the EU. PECR also remains unchanged.
-
No, you will continue to receive all your statements and other communications about your account(s) in the same way.
-
The printed/downloadable version gives customers the essential information whereas the online version goes into more detail with some additional information for those customers who want to know more about the changes.
-
We may occasionally contact you to send you marketing information about our accounts or investments that we think you may be interested in. We may send this to you by post, by phone, by email and online. By providing us with your marketing preferences we will know how best to send this information to you. Or you can choose to receive no marketing from us at all. You can change your marketing preferences at any time online or by contacting us.
-
Online marketing means we may show you promotional messages that are tailored to you when you are logged in to our website. You can opt out of online marketing, but please note that you may still see online marketing messages – they just won’t be tailored to you specifically.
-
No. If you have already told us about your preferences, you don’t have to do anything. You can always change them later if you want to at any time, either online or by contacting us.
-
If you are registered for our online and phone service, you can amend your marketing preferences by logging in and going to the ‘Your details’ section. You can also do it by calling us. If you’re not registered, you’ll need to write to us – please make sure you include your name, address, NS&I number and/or account number.
-
We use information about our customers and how they use our accounts and services to create profiles of different types of customers. This helps us to better understand our customers and their savings needs.
-
We may sometimes use your personal details to test our systems, for example when we carry out a change or upgrade to our systems and processes. This testing is to make sure the change works as it should and doesn’t corrupt or delete your details when the upgrades go live.
-
From time to time we or our research partners may contact you to take part in surveys and other research to help us understand how best to meet our customers’ needs, and to find out what our customers think about our accounts and services. If you don’t want to receive any market research invitations, just let us know.
-
Market research is not the same as direct marketing as we’re not selling you anything. Although both rely on our legitimate interests (see legal basis), market research isn’t covered by direct marketing opt outs. Our surveys are entirely voluntary - if you do not wish to take part in them, just let us know.