Bank customer profiles how long is data held for

booneruk

blue.peter said:

When I closed my First Direct accounts, I was explicitly told that they'd retain my data "in case you ever decide to come back to us". So the clear implication is that they (and, presumably, the rest of HSBC) will keep customer data indefinitely.

First Direct have long memories! Knowing I'd never had a current account with them, I recently applied with the expectation of netting their switch bribe. However, post application they told me I was not a new customer! I searched the memory banks and recalled nearly 2 decades ago having a savings account with them for an extremely brief period.

DullGreyGuy

Nasqueron said:

DullGreyGuy said:

blue.peter said:

When I closed my First Direct accounts, I was explicitly told that they'd retain my data "in case you ever decide to come back to us". So the clear implication is that they (and, presumably, the rest of HSBC) will keep customer data indefinitely.

They do hold some data at least as was refused transfer bonus to FD as allegedly held an ISA with them over a decade earlier. 

Nasqueron said:

artyboy said:

Once LBG decides they don't want you, they say that if you ever try to open an account with them, they will immediately close it. That suggests they consider it appropriate to retain forever at least a basic record of you for identification purposes.

Yes banks, and any private business, is allowed to hold data as long as they deem necessary. 

Not strictly true, they must have a legitimate business need and the ICO have fined firms for holding onto data "just because" and not having a need. 

Its not too hard to have a legimate need, like being able to manage brand new customer only offers, but still that'd be limited to data to identify the person, if you were also holding medical conditions for the purposes of the free travel insurance it would be hard to justifying retaining knowledge that a customer is HIV positive for the purposes of managing new customer promotions. 

I'm not sure why my posts have to be replied to, in order to provide a correction that simply says the same as I already did. A bank could always justify holding data for business purposes - hence what they "deem necessary". 

Per forum team advice, I am adding you to the ignore list.

The point is that they cannot always justify it, their business justification must be proportionate and balanced against the customers rights. As per the example, it may be proportionate to keep the name and ID details of a person to prevent them from receiving two introductory bonuses but that same justification couldn't be used for keeping their medical records. A company could attempt to say they want to keep the medical records such that if the customer returns they can be used for cross selling purposes but its highly unlikely such a justification would be considered acceptable by the ICO.

GrubbyGirl_2

I believe the information commissioner requires organisations to have a data retention policy.  I worked for the NHS and they have a very comprehensive policy for different types of information.  Ask the bank for their data retention policy

eskbanker

blue.peter said:

When I closed my First Direct accounts, I was explicitly told that they'd retain my data "in case you ever decide to come back to us". So the clear implication is that they (and, presumably, the rest of HSBC) will keep customer data indefinitely.

The clear implication is that FD (and not necessarily HSBC) will keep some customer data indefinitely, i.e. enough to validate (in)eligibility for new customer incentives.

boingy

GrubbyGirl_2 said:

I believe the information commissioner requires organisations to have a data retention policy.  I worked for the NHS and they have a very comprehensive policy for different types of information.  Ask the bank for their data retention policy

You shouldn't have to ask them. It should be published on their website alongside a Data Retention Schedule, Privacy Policy, Data Protection Policy etc.

DullGreyGuy

boingy said:

GrubbyGirl_2 said:

I believe the information commissioner requires organisations to have a data retention policy.  I worked for the NHS and they have a very comprehensive policy for different types of information.  Ask the bank for their data retention policy

You shouldn't have to ask them. It should be published on their website alongside a Data Retention Schedule, Privacy Policy, Data Protection Policy etc.

Are you sure? If so this site is in breach of the data protection legislation and so is every other one that I've quickly looked at. 

They must have a published privacy policy and it must cover certain topics but not heard of them having to publish the retention schedule. This site (https://www.moneysavingexpert.com/site/privacy-policy/) simply states...

We'll only hold your personal information on our systems for the period necessary to fulfil the purposes outlined in this Privacy Policy and/or in cases in which you've provided your consent (which you may withdraw at any time), or until you request it is deleted (unless a longer retention period is required or permitted by law).

Which is a vast distance away from the 20 page retention schedule a prior insurer had which equally isn't published on their website