We just wanted to highlighted a couple of data collection and processing issues some Credit Unions have experienced.
Sensitive Data
Credit Unions may collect sensitive data for example trade union membership or medical information. It is important that you make sure you have completed a proper assessment of why you hold that data. The ICO have provided an Appropriate Policy Document Template which can be found by clicking here to allow you to document that assessment.
If you collect medical details for members you should also consider whether you require this and if not it should be removed. You should also consider the purpose of why you are collecting this information and whether your use of medical data complies with the Equalities Act.
Criminal record information that you collect for employee/director checks also has specific rules and you should ensure you follow the ICO requirements at ICO Website.
National Insurance
We have been getting questions recently on the collection and processing of National Insurance numbers (NINO) and GDPR. We understand that the ICO is treating NINO more seriously as there is a high risk for fraud /identity theft. It is therefore important that Credit Unions can justify the processing of NINOs for each of the members you collect and process it for. So if you only need it for loans that you collect it as part of the loan application and not on member application forms.
The ICO has taken the view that processing NINOs only for a means of identification where there are reasonable alternatives is not appropriate. It should be noted that the NINO are not required for Single Customer View (SCV) files. There are a number of cases where it will be necessary to collect NINOs for example if DWP benefits are received and there is no other identifier apart from NINO for members.
We would therefore ask all clients to ensure that they can fully justify the use of NINOs where they collect this information and ensure this is fully documented.