1. Introduction

We are committed to safeguarding the privacy of you, our members. We have established several service delivery channels to include in-person, online, telephone etc. This Privacy Notice applies where we are acting as a data controller with respect to the personal data of you, our members; in other words, where we determine the purposes and means of the processing of your personal data. This Notice also applies to the personal data that we collect and handle for the purposes of providing and maintaining our services. For the purposes of this Notice, “personal data” means any information relating to an identified or identifiable individual.

 

Our service delivery channels incorporate privacy controls which affect how we process your personal data. By using privacy controls, you can specify whether you would like to receive direct marketing communications and limit the collection, sharing and publication of your personal data.

 

We use “cookies” on our website. “Cookies” are small pieces of information that a website sends to your computer’s hard drive while you are viewing on a website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website. You may also configure your browser to ensure no cookies are stored on your hard drive.

 

In this Notice, “we” or “the Credit Union” refers to NAJ & Health Services Co-operative Credit Union Limited (NAJ&HSCCU). For more information about us, please visit our website at https://najhsccu.com/.

2. Personal Data We Collect

In this Section, we have set out the general categories of personal data that we process and, in the case of personal data that we did not obtain directly from you, information about the source and specific categories of that data.

 

We may process data enabling us to get in touch with you (“contact data”). The contact data may include your name, email address, telephone number, and/or social media account identifiers. The source of the contact data is you and/or your employer. If you log into our website using a social media account, we may obtain elements of the contact data from the relevant social media account provider.

 

We may process your website user account data (“account data”). The account data may include your account identifier, name, email address, business name, account creation and modification dates, website settings and marketing preferences. The primary source of the account data is you and/or your employer, although some elements of the account data may be generated by our website. If you log onto our website using a social media account, we will obtain elements of the account data from the relevant social media account provider.

 

We may process information contained in or relating to any communication that you send to us or that we send to you (“communication data”). The communication data may include the communication content and metadata associated with the communication.  Our website will generate the metadata associated with communications made using the website contact forms.

 

We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source   of the usage data is our analytics tracking system.

 

We may process general categories of data. This data may include a list of specific items of data. The source of this data is identifying source. Personal data may also be used based on the legitimate interests pursued by the Credit Union or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Types of Data We Collect:

We collect a wide range of Personal Data to allow us to conduct business with you. The types of Personal Data we may collect directly from you our members, prospective members, visitors and users of our website include:

 

  • Valid Photo ID, for example a Passport, Driver’s License or ID card
  • Taxpayer’s Registration Number (TRN)
  • National Insurance Number (NIS)
  • Proof of Employment
  • Address including proof of address and past addresses
  • Email address
  • Contact information
  • Character references
  • Birth certificate
  • Personal information for – Next of Kin, Beneficiaries & Spouse
  • Declaration of US citizenship, Tax residency, if appropriate
  • Mother’s maiden name
  • Employment Status & Details
  • Politically Exposed Person Status
  • Financial Information
  • Transaction Records
  • Image Capture via CCTV or webinar recording

3. How We Collect Data

In this Section 3, we have set out how the data at 2 may be collected. We may collect your Personal Data through the following means:

 

  1. Information you provide via our Website, Social Media Networks or Events

We may collect any personal data that you choose to send to us or provide to us via our website, through cookies, social media networks or when registering or attending an event, e.g. our annual general meetings.

 

  1. Information you provide when accessing our Services

Personal data is collected by our Cashiers, Member Service Representatives and our Accounting, Loans, Marketing and Compliance personnel. We receive and store the information you provide directly to us to access our products and services. For example, when applying to become a member, opening an account or transacting business at our offices.

 

  1. Third Parties

In some instances, we may collect Personal Data from public and non-public sources and third parties for regulatory purposes or to better serve you. These include credit bureaus, references, other financial institutions, regulatory bodies and related entities.

4. Purposes and Legal Bases for Processing Personal Data

4.1 In this Section 4.1, we have stated the lawful basis we are permitted to/or are required to collect such data as set out in Section 23 and 24 of the Data Protection Act:

 

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. 

 

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

 

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

 

(d) Vital interests: the processing is necessary to protect someone’s life.

 

(e) Public purpose: the processing is necessary for you to perform a task in the public interest, for the administration of justice or for a statutory function, and the task or function has a clear basis in law.

 

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

 

(g) Publication: where the individual concerned (data subject) has published the data.

4.2 In this Section 4.2, the purposes for which NAJ & Health Services Co-operative Credit Union may process personal data and the legal bases of the processing has been set out.

 

(a) Operations – We may process your personal data for the purposes of operating our website and collecting information within our core banking system, the processing and fulfilment of transactions, send related information, including transaction confirmations providing our products and services, generating receipts, processing payments, manage your use of the services, respond to enquiries and comments, provide member service and support, send alerts and updates, security notifications, administrative communications, verify your identity, creditworthiness and the accuracy of the information provided and to trace debtors and recover debts.

The legal basis for this processing is our legitimate interests, namely the proper administration of our website, services and business OR the performance of a contract between you and us and/or taking steps, at your request, to enter such a contract.

 

(b) Publications – We may process account data for the purpose of publishing such data on our website and elsewhere through our services in accordance with your express instructions. The legal basis for this processing is consent OR our legitimate interests, namely the publication of content in the ordinary course of our operations OR the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract OR otherwise specified.

 

(c) Relationships and communications – We may process contact data, account data, transaction data and/or communication data for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post, fax and/or telephone, providing support services and complaint handling. The legal basis for this processing is our legitimate interests, namely communications with our website visitors, service users, individual customers and customer personnel, the maintenance of relationships, and the proper administration of our website, products and services and business OR any other purpose that may be deemed necessary.

 

(d) Direct marketing – We may process contact data, account data and/or transaction data for the purposes of creating, targeting and sending direct marketing communications by email, SMS, post and/or fax and making contact by telephone for marketing-related purposes. The legal basis for this processing is consent OR our legitimate interests, namely promoting our business and communicating marketing messages and offers to our website visitors and service users.

 

(e) Research and analysis – We may process usage data and/or transaction data for [the purposes of researching and analyzing the use of our website and services, as well as researching and analyzing other interactions with our business. The legal basis for this processing is consent OR our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.

 

(f) Record keeping – We may process (your personal data) for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this notice.

 

(g) Security – We may process (your personal data) for [the purposes of security and the prevention of fraud, money laundering and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business, and the protection of others.

 

(h) Insurance and risk management – We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

 

(i) Legal claims – We may process your personal data where necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

 

(j) Legal compliance and vital interests – We may also process your personal data where such processing is necessary to investigate and prevent fraudulent activities, unauthorized access to our services, and other illegal activities; and compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.

5. Compulsory Information

The personal data you provide to us is necessary for us to comply with our legal and regulatory obligations to carry out identity verification (Know-Your-Customer or “K-Y-C”) and employee screening (“Know-Your-Employee”) procedures under the Proceeds of Crime Act, Terrorism Prevention Act and other anti-money laundering rules and regulations. If data subjects fail to provide us with the necessary information, we will be unable to conduct our “KYC” or “KYE” procedures and consequently, we will not be able to offer any of our products or services to prospective members or offer employment to prospective candidates.

6. How We Protect Your Personal Data

NAJ&HSCCU is committed to protecting the security of your Personal Data as best as possible. We (and our third-party service providers) use a variety of industry-standard security technologies and procedures, as well as organizational measures to help protect your Personal Data from unauthorized access, use, or disclosure, such as:

 

  • We use vulnerability scanning and/or scanning to PCI standards.
  • We use regular Malware Scanning.
  • Your Personal Data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. In addition, all sensitive information you supply is Encrypted via Secure Socket Layer (SSL) technology.

 

We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information.

Although no method of transmission over the Internet, or method of electronic storage, is 100% secure, NAJ&HSCCU uses reasonable efforts to ensure your Personal Data is protected to the best of our ability.

7. Providing Your Personal Data To Others

We may disclose your personal data to our insurers and/or professional advisers in so far as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.

 

      1. We may disclose your personal data held on our website and physical database on the servers of our hosting services providers to relevant parties as is deemed necessary to carry out the business of the credit union.

    1. We may disclose your personal data to our suppliers or subcontractors if necessary for specific purposes.

 

In addition to the specific disclosures of personal data set out in this Section 5, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where   such disclosure is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

8. Cross-Border Transfer Of Your Personal Data

    1. The hosting facility for our core banking system is Microsoft Software Design (MSD) situated in Trinidad and Tobago. Personal data we collect about you will be processed in Trinidad and Tobago for the purposes set out in this notice. By using our services, you acknowledge that your personal data will be transferred to Trinidad and Tobago.

    2. We may transfer your personal data from Jamaica to Trinidad and Tobago and process    that personal data in Jamaica for the purposes set out in this notice and may permit our system providers and subcontractors to do so, during any period with respect to which the Jamaica is not treated as a third country under Trinidad and Tobago data protection laws or benefits from an adequacy decision under Jamaica data protection law.

    3. The competent data protection authorities have made an adequate determination with respect to the data protection laws of this country. Transfer to this country and any other country in the future that may need to process members data on our behalf will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the competent data protection authorities.

You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. However, we will make reasonable efforts to ensure that your Personal Data is protected.

9. Retaining And Deleting Personal Data

This section sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

 

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

We will retain your personal data as follows:

 

(a) Contact data will be retained for a minimum period of 7 years following the date of the most recent contact between you and us, and for a maximum period of 7 years following that date;

(b) Account data will be retained for a minimum period of period following the date of closure of the relevant account, and for a maximum period of period following that date;

(c) Transaction data will be retained for a minimum period of 7 years following the date of the transaction, and for a maximum period of period following that date;

(d) Communication data will be retained for a minimum period of 5 years following the date of the communication in question, and for a maximum period of 5-7 years following that date;

(e) Usage data will be retained for 7 years following the date of collection; and

(f) Data category will be retained for a minimum period of 5 years, and for a maximum period of 7 years.

 

Notwithstanding the other provisions of this Section 7, we may retain your personal data for longer periods where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

 

10. Your Rights

 

In this section, we have listed the rights that you have under Jamaica’s data protection law.

 

Your principal rights under data protection law are:

 

  1. the right to access – you can request information on the type of your personal data that is being processed by us, the purpose for which it is being processed and the recipients to whom the data is disclosed. This must be requested in writing, on a prescribed form;                   
  1. the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data;
  1. the right to restrict processing – you can ask us to restrict the processing of your personal data;
  1. the right to be informed about automated decision making – You may request in writing that decisions regarding your Personal Data that have been made solely on the basis of automated processing be reconsidered with human involvement;
  2. the right to object to processing – you can object to the processing of your personal data;
  3. the right to data portability – you can ask that we transfer your personal data to another organization or to you;
  4. the right to complain to a supervisory authority – you can complain about our processing of your personal data to the Information Commissioner; and
  5. the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent in writing.
  6.  

If you wish to exercise any of your rights in relation to your personal data, please contact us or our Data Protection Officer by email at dpo@najhsccu.com.

Changes to This Privacy Notice

 

Data privacy and protection is an ongoing responsibility and so this Privacy Notice is subject to occasional revision to ensure that it remains in line with the ever-evolving regulatory and security landscape. NAJ & Health Services Co-operative Credit Union therefore reserves the right, at its sole discretion, to modify or replace any part of this Privacy Notice. We will alert you to material changes by, for example, placing a notice on our website when we are required to do so by the Data Protection Act.

 

It is your responsibility to check this Privacy Notice periodically for changes. Continued use of our Site or Services indicates your acknowledgement that it is your responsibility to review this Privacy Notice periodically and become aware of any modifications. Changes to this policy are effective once they have been uploaded to our website.

 

If you have questions, requests or concerns regarding your privacy and rights, please let us know how we can help by contacting us using the information below.

Contact Information

 

Data Protection Officer

Privacy & Legal Management Consultants Limited

 

Name

NAJ & Health Services Co-operative Credit Union Limited

 

Address

6 Trevennion Park Road, Kingston 5

 

Contact Number

876-929-0070/960-5626

 

WhatsApp

876-832-0872

 

Email

dpo@najhsccu.com 

 

Last Updated: May 2024.