Skip to main content

Data protection

This article outlines how NestEgg acts as a data processor

Adrian Davies avatar
Written by Adrian Davies
Updated over 2 years ago

NestEgg’s approach

NestEgg believes that data should be used for the public good. To support this vision the company aims to ensure that use of data:

  • Protects by default. The starting point for NestEgg services is the assumption of total privacy.

  • Enhances inclusion. Traditional credit assessment data can be indirectly discriminatory. Data for assessing credit risk adjust to consider the needs of the most vulnerable.

  • Serves the public. NestEgg’s focus is good consumer outcomes, not the monetary value of information. Data should help transform the economy for the common good.

  • Promotes accountability. Automated decision making should use clear and accountable algorithms that are reviewed to ensure fair outcomes.

  • Increases transparency. Data subjects should have the right to know how their data is used to assess credit. Consumers should be given the opportunity to improve their financial identity and be provided with the educational tools to do so.

  • Securely protects sensitive information. NestEgg processes data in a secure environment. Information is retained and processed in accordance with best practice

This policy sets out definitions, the principles for data processing and lists the key systems and controls put in place to protect data. It describes what happens in the event of a breach and links to a Data Processing Agreement.

Definitions

NestEgg is a data processor. Processors are natural or legal persons, public authorities or other bodies processing data on behalf of data controllers.

Data processing is any action or set of actions performed on personal data or sets of data, whether automated or not.

NestEgg clients are data controllers. Controllers are natural or legal person, public authority or other body which establishes the purpose and method of data processing, alone or together with other actors.

Personal data is any information related to an identified or identifiable data subject.

Personal data breach is a breach of security that caused accidental or intentional loss, destruction, disclosure or access to processed or transmitted personal data.

Supervisory body is an independent public authority established by an EU Member State in accordance to Article 51 EU General Data Protection Regulation or it’s post-Brexit equivalent in the UK.

Third parties are natural or legal persons that are not data controllers or processors but are authorised by them to process personal data.

Company Personal Data means any Personal Data Processed by a Contracted Processor on behalf of Companies pursuant to or in connection with any agreements in place.

Contracted Processor means a Subprocessor or processor that has entered into a Data Processing Agreement

Subprocessor means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR

GDPR means EU General Data Protection Regulation 2016/679

Principles and purposes of processing

Purpose limitation. The processing of personal data is limited to the purpose for which it was originally collected from the data subject.

Data minimisation. Only the personal data absolutely required for the purpose of credit assessment is requested. NestEgg will work with the Data Controller to ensure that processing involves the least amount of data possible.

Accuracy. As a data processor, NestEgg is responsible for collecting the initial data required for credit assessment. Its Fraud Prevention tools can only provide a limited indication of whether the information provided by a data subject is correct. Data controllers are responsible to ensure the ongoing accuracy of data.

Integrity and confidentiality. Personal data is processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing. Data Controllers must ensure that data cannot be modified by unauthorised persons.

Storage limitation. Personal data is retained for the minimum time necessary. That is, personal data will be deleted once the legitimate purpose for which it was collected has been fulfilled.

Fair and transparent. All personal data processing should be fair; that is, NestEgg does not perform processing unless it is legitimate. As data controllers, NestEgg clients should inform the data subject in an open and transparent manner.

Systems and controls

Protection by default. NestEgg designs its software so that data subjects must always opt in to data sharing. NestEgg workflow includes reference to data policies during the application process which data subjects are encouraged to read before proceeding. Options for providing further information (such as bank statements) are provided so that applicants do not feel they have no option but to agree to Open Banking.

Enhancing inclusion. Data sources are used to improve the likelihood that individuals facing financial exclusion are not unfairly turned down for credit. Open Banking data shows recent behaviours whilst credit bureau data provides a historical perspective.

NestEgg will continue to explore enhancing data sets to improve decision outcomes for vulnerable consumers. It will develop reporting systems that provide a holistic view of an applicant’s financial well-being moving beyond the traditional use of credit bureaux data.

Serves the public. Use of data should provide good consumer outcomes that service the wider public. With the appropriate regulatory permissions in place NestEgg:

  • Promotes accountability. Decision outcomes are regularly monitored so that declines are based on analyses of loan bad rates.

  • Increases transparency. Precise details of decision-making processes must remain confidential so that applicants are not able to ‘game’ systems used. With NestEgg Registered Account Information Services Provider and Credit Information Services regulatory statuses in place, more information can be shared with applicants on how they can improve their chances of being accepted for loans.

  • Securely protects sensitive information. NestEgg processes all personal data both in transit and at rest using advanced encryption standards.

Purpose limitation. Data is only used for the purposes of credit assessment. All data retrieved is only used to help NestEgg clients assess the credit worthiness of loan applicants, prove their identity and prevent fraud. Anonymised data is used to improve the accuracy of decision making.

With appropriate regulatory permissions, NestEgg may use the data (with the consent of controllers and data subjects) to provide assistance to applicants so they can improve their credit profile.

Data minimisation. A minimum set of data is required for credit assessment, although data controllers may request that NestEgg, through the Workflow product, collects additional information that is required to set up a membership account and report key performance indicators to senior managers, boards, stakeholders and funders.

Accuracy. As a processor NestEgg’s responsibilities are limited to information gathering services providing accurate input (for example validated fields on the dashboard and workflow). NestEgg provides fraud prevention services to reduce the risk of applicants giving false and misleading information, but NestEgg cannot guarantee the identity of an applicant.

Integrity and confidentiality. The integrity of personal data is maintained by ensuring that it is stored as simply and in as few locations are possible. Confidentiality is maintained by limiting access to personal data to as few client end-users as possible. These users are required to use corporate email accounts as part of their credentials to access consumer personal data.

Storage limitation. The decision engine anonymises data used for loan decisions at the end of the loan term.

Fair and transparent. NestEgg clients, as data controllers, are responsible for gathering informed consent from applicants during the application process. Clients must include a visible privacy policy that includes the CRAIN declarations provided, from time to time, by Credit Reference Agencies.

Responsibilities

NestEgg is a data processor. As such the company:

  • Follows instructions from clients regarding the processing of personal data.

  • Is given the personal data by the client, through the dashboard or Workflow.

  • Does not decide to collect personal data from individuals.

  • Does not decide what personal data should be collected from individuals.

  • Does not decide the lawful basis for the use of that data.

  • Does not decide what purpose or purposes the data will be used for.

  • Does not decide whether to disclose the data, or to whom.

  • Does not decide how long to retain the data.

  • May make some decisions on how data is processed but implements these decisions under a contract

  • Is not concerned with the result of the processing.

NestEgg clients are data controllers. As such they:

  • Decide to collect or process the personal data.

  • Decide what the purpose or outcome of the processing was to be.

  • Decide what personal data should be collected.

  • Decide which individuals to collect personal data about.

  • Obtain a commercial gain or other benefit from the processing

  • Are processing the personal data as a result of an Agreement between them and the data subject.

  • Make decisions about the individuals concerned as part of or as a result of the processing.

  • Exercise professional judgement in the processing of the personal data.

  • Have a direct relationship with the data subjects.

  • Have complete autonomy as to how the personal data is processed.

  • Have appointed the processors to process the personal data on our behalf

For NestEgg, Adrian Davies is the Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with data protection regulations. They are the main point of contact on data issues for clients and regulatory authorities. The DPO is responsible for assessing the risk of activities in relation to regulations and carries out a Data Protection Impact Assessment when NestEgg introduces new services.

The DPO is responsible for ensuring that all agreements are maintained, updated and consented to by clients.

For NestEgg, Ben Breen is responsible for technical requirements relating to data protection, including information security and the compliance of third-parties that provide data services to NestEgg.

Data retention policy

NestEgg only holds data for as long as is required according to the purpose for which the data was obtained.

NestEgg will carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain.

The data subject (end-user) shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller (and therefore any processor) shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

  • The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.

  • The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.

  • The personal data have been unlawfully processed.

  • The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where the controller has made the personal data public and is obliged pursuant to paragraph 7.3 in the attached policy document to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. As processor NestEgg will support the controller to discharge these obligations.

7.3.2 and 7.3.3 in the attached policy document shall not apply to the extent that processing is necessary:

  • For exercising the right of freedom of expression and information.

  • For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  • For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR.

  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

Declined loan decisions are anonymised after 90 days. Accepted loan decision data is anonymised within 1 year of the term of the loan agreement. Savings applications are anonymised after 90 days.

Contracts are maintained for seven years after the contract termination.

Staff records are maintained for seven years after termination of employment.

Financial records are maintained for seven years.

Customer chat records are held for two years.

Client communications are maintained for seven years after contract termination.

Sales and marketing records are kept for three years.

Subscriber details to marketing lists are removed immediately upon request.

Data Breach Response and Notification Procedure

As soon as a personal data breach is identified the DPO must be informed.

  • The extent of the impact, and the scope of the personal data breach must be identified:

  • Ascertaining that personal data was breached.

  • Estimating the number of data subjects whose personal data was possibly breached.

  • Determining the possible types of personal data that were breached.

  • Listing security measures that were already in place to prevent the breach from happening.

NestEgg is the processor of personal data. The DPO will notify the responsible person stated in its contract with the controller. The communication will include contact details of the DPO, details of the breach, likely impact, actions already in place, and those being initiated to minimise the impact of the data breach. Also, it is important to mention that further impact is being investigated (if required), and necessary actions to mitigate the impact are being taken.

NestEgg will take all possible measures to reduce the risk and contain further unauthorised access. It should continue to refine the original estimate of the number of data subjects breached and the types of personal data that were breached.

Once the personal data breach has been contained, NestEgg will conduct a review of existing measures in place, exploring ways in which measures can be strengthened to prevent a similar breach. All identified measures will be monitored to ensure that the measures are satisfactorily implemented.

The breach will be recorded on the Breach Register.

Did this answer your question?