NSM UK Privacy Policy

About NSM UK Holdings

This Privacy Notice outlines how NSM UK Holdings “we” or “us” or “our” or “NSM UK” collects and process data in accordance with data protection laws such as the Data Protection Act 2018 which is the UK’s implementation of the General Data Protection Regulation (GDPR).

NSM UK is the Holdings Company for three regulated entities, First Underwriting Limited (“FUL”), Kingfisher Insurance Services Limited (“KISL”), and Kingsbridge Risk Solutions (“KRS”). The three entities that form the Holdings Company are primarily involved in the provision of insurance, which enable the consideration of, access to, administration of, and making of claims on, insurance. 

So that NSM UK may provide insurance services, we will collect and use data about individuals. We are therefore known as a ‘data controller’ and are responsible for complying with various data protection laws.

NSM UK will receive personal information relating to potential or actual policy holders, as well as claimants and other parties that are involved in a claim.

References made in this Privacy Notice to “individuals” or “you” or “your” include any living individual whose personal information we receive in connection with the services we provide to our clients.

NSM UK have an appointed Data Protection Officer to oversee the handling of personal information we collect. If you have any questions about how we collect this data or how we store or use your personal information, you may contact our Data Protection Officer using information in the “Contacting Us” section.

Processing your personal information

Personal Data

What type of personal data might we collect?

We use personal data for the following purposes:

We may collect information about you from the following sources:-

Special Category Data

What type of special categories of data might we collect?

Why might we collect this data?

When we hold data it will only be used in accordance with this privacy notice and this policy should be read in conjunction with the Terms of Business that relates to your insurance policy with NSM UK group entites. There is no obligation to provide us with personal or special category information, but if you do not, we may not be able to provide products or services or administer claims.

Profiling and Automated Decision Making

We may use automated decision making, which includes profiling in our assessment of insurance risks and for the administration of policies. This is used to help us decide whether to offer insurance, determine prices and validate claims.
We may also use your personal data for profiling purposes. For example, we may analyse how many claims happen in a particular postcode or if some types of people are more likely to be involved in accidents than others. Using your data in this way assists Us in providing our customers with the lowest premiums possible.

Sharing of Personal Information

We share your personal data within NSM UK’s group of companies for the purpose of your interaction with us, such as for the provision of our services, general business operations and controls, marketing, data analytics, systems and algorithm improvements, surveys, benchmarking, and compliance with applicable laws. We may need to share your personal information with other recipients which could include:-

We do not transfer data internationally.

How we protect your information

In order to protect your information we use various technical and organisational security measures.

At NSM UK we restrict access to your information as appropriate to those who need to know that information for the purposes defined in this policy.

NSM UK use firewalls to block unauthorised traffic to the servers and Group servers are located in a secure location which can only be accessed by authorised personnel. We have internal procedures which cover the storage, access and disclosure of your information.

Retention of Personal Information

If you decide to take a policy with us, we will normally retain your personal data for up to seven years from when your policy expires. We may also retain telephone call recordings for up to seven years.
Where we have obtained your personal data directly or via a third party – for example an insurance broker, introducer or a marketing firm and We have your agreement to contact you at your next renewal, we will retain data for up to two years from your next renewal date.
If your insurance is an employer’s liability policy, we will retain the details of this policy for at least 60 years. This is to ensure that the details are available to you should an employee lodge a claim against you far into the future, such as may be the case for an industrial disease where symptoms may not present themselves for many decades.

What legal basis do we use for processing your personal data?

NSM UK will only use and store your personal data if we have a legal basis for doing so. It is your right as the subject of this data to be informed what the legal basis is for each type of processing that we undertake.

Your Rights

You have the following rights in relation to the data we hold about you, however some of these rights may not apply in certain circumstances – details are noted below. We have strict internal processes in place that ensure your rights are upheld and that any requests you make in relation to these rights are responded to within 30 days of you making it. You are not required to pay any charge for exercising your rights.

The right to be informed

You have the right as a data subject to be informed in a clear and precise manner about the data we hold about you. Within this privacy notice we detail the nature of this data we hold, the reasons we hold it, how this data is used, who we will share this data with, how long we will retain your data and the rights you have in relation to your data. If you require any further information, you can contact us using the details below.

The right of access

In order to demonstrate the legitimacy of the personal data we hold on you, its accuracy and the lawfulness of the processing we undertake, you have the right to request a copy of all data we hold about you. You can request this information free of charge using the details below. We will provide a copy of all personal data we hold about you within 30 days of you making this request.

The right to rectification

You have the right to ensure that all data we hold on you is both accurate and complete. If you are concerned that the data we hold about you is inaccurate or incomplete when considering the purposes for which your data is being used, you can ask us to rectify this. To do so, you should contact us using the details below.

The right to erasure – the right to be forgotten

You have the right to request that all of the data we hold on you be erased from our systems. We may only be able to comply with this request in specific circumstances. This request would also apply to any third party whom we had shared your data with, and we would notify them accordingly if your request was valid. We will not be able to erase your data in all circumstances. For example, we would not be able to erase data that is being processed for the purposes of administering a live or lapsed insurance policy unless policy has been lapsed for seven years or more – or longer in some circumstances. This is because we have a legal obligation to retain this data for the defence of legal claims should a third party make a claim against your policy. If you require any further information, or you wish to exercise your right of erasure, you should contact us using the details below.

The right to restrict processing

You have the right to restrict our processing of your data under the following circumstances:

If you wish to exercise your right to restrict processing, you should contact us using the details below.

The right to data portability

Where we are processing data under the basis of contractual performance or consent you have the right to request that we provide your data in a machine-readable format that you can then share with other businesses or in any other way you see fit. You have the right to request that we transfer your data to third parties directly for them to use as you see fit. You are able to utilise your data in this way by contacting us using the details below.

The right to object

You have the right to object to your data being processed. The right to object for direct marketing purposes or profiling of your data for the purpose of direct marketing is absolute and we must cease the processing of your data for these purposes. However, for other processing the right to object is not absolute and there may be some compelling reason why we need to continue processing your data. Please contact us using the details below if you want to exercise this right.

The rights regarding automated decision making and profiling

You have the right to request human intervention into any process involving automated decision making where this results in a legal implication to you. This right would not apply to underwriting decisions or to applications for credit made on our website or internal system as this automated decision making is required for entering into a contract with us. Currently, we do not use automated decision making for any other functions, but if you have concerns regarding this, please contact us using the details below.

The right to complain

You have the right to complain about the use of your personal data – in the first instance please contact us using the details below. Our complaint handling procedure is available upon request or can be accessed from the NSM UK website. You are also entitled to complain to the Information Commissioner by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane

Alternatively, you can access their website here.

If you have any questions about how we use personal information, you can contact our Data Protection Officers as follows:

Last Updated: April 2024 | Next Update: January 2025