OneID® Privacy Notice
Update: Please read this privacy notice carefully as it has been updated with effect from 29 June 2023 to inform you about changes about how we collect and use personal information.
This privacy notice (and any other fair processing or privacy notice, such as cookie notices, that we may provide to you from time to time) explains the following in relation to your use of the OneID® service:
Who we are
We are OneID Limited, a UK company whose mission is to help you prove who you are online in a safe and secure way, under your control and consent.
For the purpose of applicable data laws, we are the data controller of the personal information processed for the purposes set out below.
Further details can be found on our website.
How you can check who we are
Enabling trust online is at the heart of what we do, and that starts with us as a company.
We are registered with:
Laws that govern what we do
We are committed to ensuring that your privacy is protected, and we comply with the relevant parts of the following laws:
We will only use your information if we have a legal reason for doing so, including:
How we collect and use your personal information
OneID® is a service that enables you to securely share your personal data from your bank with a 3rd party organisation to access their goods or services (e.g. a retail website). We may also obtain your personal data from other trusted data sources such as credit reference agencies (acting as “Attribute Service Providers”) as a standalone source of data or where your bank does not hold or provide us with all the relevant information. There are three scenarios in respect of which we may process your personal information in relation to your use of OneID:
Also, when you use OneID we will collect limited usage data by reference to your OneID Identifiers (such as system logs) to enable the proper operation of OneID, to enable us to comply with legal requirements, and for operational reasons such as issue resolution and complaint handling (“Usage Data”). We use “performance of a contract”, “compliance with our legal and regulatory obligations”, “legal claims” and “our legitimate interests” as the legal basis for this.
What information do we collect about you?
In order to supply you with the OneID service, we will collect some or all of the following Identity Data from your bank or an Attribute Service Provider (in both cases, with your consent) and pass it on to the relevant 3rd party provider of goods/services:
We may also collect information from your bank which relates to the type of account that you hold with them and characteristics of this type of account, such as whether your bank account has a credit/overdraft facility or whether it is a student account.
As mentioned above, we will also receive your Bank Identifier from your bank and we record your Usage Data against your OneID Identifiers.
If you contact us for any reason, the Contact Data we collect about you will depend largely on the reason for your contact, what data you decide to provide to us and what other data (if any) which we may need to collect in order to address your query but will, as a minimum, include your name/email address.
What information do we store?
We minimise the personal data that we do store to only that which is strictly necessary for us to provide the service (OneID Identifiers, Usage Data and in some cases Identity Data).
We aim to never store any of your Identity Data. As such, we will not store your Identity Data if it is possible to retrieve this directly from your bank and pass this straight to the relevant 3rd party. In this case we will not keep any copies. We will never store your Bank Identifier(s).
Where we are unable to retrieve all of the information necessary from your bank and depending on the reason you are using OneID, we may store some of your Identity Data (such as your address, date of birth, email address or mobile number). If we do store any of your Identity Data, we store this in an encypted form, which is only accessible by you (via a bank authentication), through a subsequent use of OneID.
We store the Identity Data, OneID Identifiers and your Usage Data so we can: provide a view of your Usage Data via a consent-management service when you next log in to OneID (via a bank authentication), where you can view the parties that you have shared your data with (a “Consent Console”); so that if you need to use OneID again, even for another 3rdparty, we will be able to confirm that your identity has been previously verified, so you do not have to keep repeating the process; and general account management services.
If we do ever receive Contact Data about you we will retain and only use it to address the matter in question.
How we keep your information secure
We have appropriate security measures to keep the information we hold about you (the OneID Identifiers, your Usage Data, your Identity Data and any Contact Data) safe and secure. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Any Identity Data we store is hashed and encrypted. This process means that the encryption is only reversible, if you make a subsequent use of OneID and following a bank authentication. In order to identify you, we would need you to contact us with your OneID Identifier which we would need to pass to your Bank to identify you. This Identity Data is not accessible in any other way.
How long do we keep your information for?
We will keep your transactional data (including your OneID Identifiers and Usage Data), and any Contact Data we hold, while we are providing services relating to you, and afterwards for 7 years in order to:
We will not retain your personal information for longer than necessary for the purposes set out in this notice. When it is no longer necessary to retain your information, we will delete or anonymise it.
We will not use your information for marketing, or sell it
We will not use your personal information to provide you with marketing and promotional materials, and we will never sell and/or share your personal information with third parties for marketing purposes.
Why we may need to share your information, and who we might share it with
We may share your information with others where lawful to do so including where we or they:
We will share your Identity Data, with your consent, with 3rd parties with whom we have a contractual relationship, in order to provide account opening, authentication and age verification services to enable you to easily prove who you are or how old you are online. We will also share your OneID Identifiers with those 3rd parties in order to provide those services and to manage our relationship with you.
We may also share your information with others, including:
Transferring your information overseas
If we transfer personal information to countries outside the UK and/or EEA to countries which may not have the same level of data protection as the UK or EEA, we will only do so where appropriate safeguards are in place to enable us to legitimately and legally transfer data to them, such as: (i) transfers to countries with EEA/UK "adequacy" rulings; and/or (ii) where appropriate contractual (or other) arrangements are in place.
Your rights in relation to your information
You have various rights, including the following:
More detailed information about your data protection rights can be found at the ICO here. However, please note that because of the advanced privacy measures which we have built-in to the OneID service: (i) the rights listed above do not generally apply to your Identity Data because we do not keep copies of it, so you would have to contact your bank or the 3rdparties with whom you have shared your Identity Data to exercise your rights in respect of Identity Data; and (ii) because we cannot tell who you are from the OneID Identifiers we hold on our system, you will need to re-authenticate yourself with your bank (so that we can match your Bank Identifier to your OneID Identifier(s)) in order for us to confirm your identity and then assist you with your rights in relation to OneID Identifiers and Usage Data.
How to contact us
If you would like more information or have questions about this privacy notice or your rights in relation to your information, please contact us via email or letter to:
If you have a concern about your data, please contact us first to help you resolve it. The ICO provides some guidance on how to do this here.
Changes to this privacy notice
We may change this privacy notice from time to time; when we do, you will be able to see the updated version when you next use OneID and also on our website here.