Secure Trust Bank Group comprises Secure Trust Bank PLC, V12 Retail Finance Limited, Debt Managers (Services) Limited and STB Leasing Limited ("we", "our", "us"). We hold and process data on current and former employees, individual contractors, applicants, interview candidates, agency workers, consultants, directors and third parties whose information you provide to us in connection with our relationship (e.g. next-of-kin, emergency contact information and/or dependents) ("you" or "your").
We act as a "controller", and in doing so, we take your data protection rights and our legal obligations seriously. Your personal data will be treated in a secure and confidential manner and only as set out below.
When we use "we" in this notice we mean us or anyone acting on our behalf. See 'How we share your information' section for details of those acting on our behalf.
Please read this privacy statement carefully as it contains important information to help you understand our practices regarding any personal data that you give to us.
We collect personal data:
- directly when you register interest about a job vacancy with us;
- directly during the course of considering an application for a job vacancy, on our website, in an interview, in writing or over the phone (including via recording of calls or video conferencing technology);
- indirectly from a recruitment agency which helps arrange the application for you;
- indirectly from third parties including your former employers, tax authorities, credit reference agencies and fraud prevention agencies.
Personnel, including current and former employees, individual contractors, applicants, agency workers, consultants, directors:
We collect personal data:
- directly from you and from observing you during your employment or engagement with us, in person, in notes of one to one meetings, performance assessments and discussions with your line manager, on the intranet or over the phone;
- indirectly from third parties including tax authorities, or providers of the flexible benefits you opt for, and credit reference agencies and fraud prevention agencies;
- that is recorded in building access, CCTV in and around our offices and IT systems access records, and in your activity on IT systems and;
- that is recorded in attendance records for training, meetings and events you participate in, contact centre scheduling and resourcing systems.
Third Parties, including next-of-kin, emergency contact information and/or dependents:
We collect personal data indirectly from the relevant Candidate or Personnel connected to us.
This personal data includes your:
- name, including any previous names;
- date of birth;
- address, and your address history;
- telephone number;
- email address;
- National insurance number;
- passport information;
- driving licence;
- bank details;
- credit history, and names of your partner or anyone else you are financially linked with (we receive this information from the credit reference agencies and fraud prevention agencies);
- employment history;
- salary, benefits and taxation information;
- qualifications, training and competency records;
- information relating to your performance in the role, attendance and absence records;
- information regarding your emergency contacts and any dependants (if you provide this);
- identifiers assigned to your computer or other internet connected device including your IP address;
- information linked to your mobile telephone number (company mobile phone or your own mobile phone when signed into the free wi-fi access points in STB offices);
- publicly available information (for example on the internet, social media and public registers);
- recruitment data: CV and application, interview and assessment records;
- information from competence and background checks including qualifications and references;
- evidence of eligibility to work;
- personnel claims, complaints and disclosures data: termination arrangements and payments, subject matter of employment based litigation and complaints, personnel involvement in incident reporting and disclosures;
- personnel monitoring data: recordings of electronic communications, video conferencing technology and calls recordings, building access and IT systems access records, CCTV footage, data caught by IT security programmes and filters.
- information about unspent criminal convictions or pending prosecutions relating to any aspect of dishonesty which may have a bearing on your employment;
- information about cautions, warnings, reprimands, as well as spent and unspent convictions which may have a bearing on your employment (only applicable for roles captured under the Senior Managers and Certification Regime);
- information relating to how you conduct an account with the Group if you have one.
For candidates, where information fields are marked as mandatory on any application form that you complete, if you do not provide such information we will be unable to continue with your application.
For personnel, failure to provide any mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, it could prevent us from being able to pay you.
We also collect and process a limited amount of personal data falling into special categories, sometimes called "sensitive personal data". Special categories of personal data include information about an individual's physical or mental health or condition, biometric and genetic data, racial or ethnic origin, political opinions, religious beliefs or other philosophical beliefs of a similar nature, trade union membership, sex life and or sexual orientation.
Criminal offence information is not defined as special categories of personal data, however, this information does require additional protections. Criminal offence information covers information related to convictions and offences, including alleged offences, court proceedings, and sentencing.
As part of our competence and background checks, we conduct criminal disclosure checks with the Disclosure & Barring Service (DBS). See 'Competence and background checks' section for more details.
If you have voluntarily provided health information to us (for example, where you have notified us of an illness, disability or impairment), we process that information for the limited purpose of making reasonable adjustments to help you work safely and effectively.
You have the opportunity to provide certain diversity information to assist us in monitoring how our policy on equal opportunities is working in practice, in accordance with the Equality Act 2010.
Your personal data are collected and processed for various business purposes, in accordance with applicable laws and any applicable employment agreements/engagement contracts. In limited circumstances, personal data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigations or disciplinary proceedings).
We process your personal data under one of the following bases:
- the processing is necessary for our legitimate interests (as set out in the section below);
- the processing is necessary for compliance with a legal obligation to which we are subject; or
- the processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract.
|Purpose||Legal Basis (As set out under applicable data protection law - for more details click here)|
|To manage job applications and assess candidates for vacancies within the Group;||
|To conduct competence and background checks, and fitness and propriety checks. See 'Competence and background checks' section;||
|To obtain evidence of eligibility to work in the UK;||
|To assess suitability and capability of candidates, including psychometric assessments for certain roles; and
To document the interview process and assess candidate competence;
|To enter into and carry out a contract of employment;||
|To monitor the equal opportunities policy;||
|During Employment /Engagement with us|
|To process payroll and out of pocket expenses;||
|To manage absence, both planned and unplanned and validate fitness and ability to return to work;||
|To conduct competence checks, including verifying address history, obtaining credit reference, adverse media, criminal records and other relevant poor conduct checks. See 'Competence and background checks' section;||
|For training purposes and to review or enhance performance. This may involve quality assurance reviews, including of call recording for contact centre roles, and may utilise analytics tools, such as speech analytics;||
|To investigate performance as part of a grievance or disciplinary process;||
|To benchmark salary and benefits (where possible on an anonymised basis);||
|To fulfil our recognition and reward proposition||
|To provide flexible benefits as part of the employee benefits package;||
|To provide hotel accommodation, company or hire cars;||
|To schedule and manage attendance for contact centre resourcing requirements using workforce management tools;||
|To maintain governance records, including conflicts of interest register, gifts and hospitality log, confidential information lists, staff sharedealing disclosures, and lists of persons discharging material responsibility;||
|To monitor the equal opportunities policy;||
|Security and Health & Safety|
|To monitor access to the Group's offices and restricted areas, and use of IT systems and applications ;||
|To validate drivers' licence and insurance policy if in receipt of car allowance;||
|For contacting employees in the event of an emergency or as part of annual testing;||
|For contacting personnel in the event of a Health & Safety emergency;||
|Complying with Legal Obligations|
|To prevent, investigate and prosecute crime, fraud, money laundering or sanctions violations;||
|To check if you have an account with Secure Trust Bank Group or one of our debt collection clients;||
|To investigate a whistleblowing report made by you if you choose not to remain anonymous;||
|If we are obliged to disclose information by reason of any law, regulation or court order;||
|For financial planning and management, risk management or auditing purposes;||
|Event logs are maintained on wireless network access points to troubleshoot issues and investigate high usage for company provided mobile phones;||
|To transfer information to any entity which may acquire rights in us;||
|To administer the Sharesave Plan for employees that opt to participate and other participants in discretionary share schemes;||
|To test systems or third party services (see 'Testing' section);||
|Other purposes permitted by applicable laws, including legitimate interests pursued by us where these are not overridden by the interests or fundamental rights and freedoms of staff.|
We process Special Categories of Personal Data under one of the following conditions:
- the processing is necessary to comply with our legal obligations under employment, health and safety and social security law;
- the processing is necessary for the assessment of your working capacity, medical diagnosis, or the provision of health care or treatment;
- the processing is necessary to protect your or another person's vital interests where you are physically or legally incapable of giving consent (for example in exceptional situations such as a medical emergency); or
- the processing is necessary for the establishment, exercise or defence of legal claims.
- the processing is necessary for substantial public interest (for example equality and diversity).
|Purpose||Legal Basis (As set out under applicable data protection law - for more details click here)|
To provide statutory incapacity or maternity benefits;
To comply with legal obligations in managing your employment or engagement with us;
To make reasonable accommodations or adjustments;
To avoid unlawful discrimination; and
To provide an inclusive and diverse workplace.
|To manage and investigate any complaint under our grievance policy (or other relevant policies)||
We process criminal offence data under the legal basis that the processing is necessary for substantial public interest (for example prevention or detection of unlawful acts or dishonesty, or suspicion of terrorist financing or money laundering or sanctions violations).
We may seek your consent to certain processing which is not based on one of the above bases. You should be aware that it is not a condition or requirement of your employment or engagement with us to agree to any request for consent from us.
We take reasonable steps to destroy or anonymise personal data we hold if it is no longer needed for the purposes set out above.
Set out below is a summary of our relevant retention periods, please ask HR for more information if needed.
|Type of personal data||Retention period|
|General personal data - this includes the categories of normal personal data and personal identity||
|Special categories of personal data||
|Criminal offence data||
|Personal financial data||
|Personal location data||
Call recordings (contact centres, reception, Financial Crime Operations and Customer Resolutions teams, IT service desk only)
Video conferencing technology
|CCTV - digital images||Max 90 days.|
The recipients with whom we share personal data are:
- our third party service providers who act on our instruction and need to know the information in order to provide us or you with a service;
- our third party service providers including Bupa who act as controller for private medical care if included in your contract of employment, Bupa and Workforce Wellbeing who act as controller for occupational health, AON who act as controller in delivering flexible benefits to you, and CLM who act as controller for providing company cars;
- our third party service providers who act on our instruction and process information on our behalf to help run some of our business operations including HR & payroll system, competence and background checks (People Check), surveys and assessments, training, email distribution, storage of HR records, our HR careers portal, IT services and websites, contact centre resourcing requirements, and benchmarking;
- our third party service providers (Amazon and Funkypigeon.com) who act as a controller in delivering our rewards and recognition program;
- our advisors, for the purpose of assisting us to better manage, support or develop our employees and comply with our legal and regulatory obligations;
- our regulators or the relevant authorities (including the Prudential Regulation Authority, Financial Conduct Authority and Information Commissioner's Office) to comply with our legal and regulatory obligations or for our legitimate interests;
- entities or third parties requesting a regulated reference under the Senior Manager and Certification Regime, as determined by the Prudential Regulation Authority and Financial Conduct Authority;
- entities who may or do acquire any rights in us for the purpose of a business sale or reorganisation;
- credit reference agencies (Equifax and TransUnion) and fraud prevention agencies (including Cifas and LexisNexis) - see sections below 'Competence and background checks' and 'For crime and fraud prevention and anti-money laundering');
- law enforcement bodies in order to comply with any legal obligation or court order.
Recipients with whom we share your personal data, for example our service providers, may be located in the UK, other countries in the European Economic Area or elsewhere in the world. Different privacy laws may apply in these countries.
Whenever we or our service providers transfer your personal data outside of the European Economic Area, we or they impose the standard contractual obligations approved by the relevant regulatory authorities on the recipients of that information to protect your personal data to the standard required in the European Economic Area or may require the recipient to subscribe to 'international frameworks' for example adequacy decisions. More details on the standard contractual obligations and the international frameworks are available on the ICO's website, or to obtain a copy of the relevant documented data safeguard (some details of which may be redacted for confidentiality reasons) you can contact our Data Protection Officer on the details below.
As part of our recruitment process, including if you transfer to a different role internally, and on an ongoing basis, we complete background checks. Some of these checks are conducted by People Check on our behalf. This requires us to process your personal data with the credit reference agencies and fraud prevention agencies, and the Disclosure & Barring Service for criminal convictions and pending proceedings.
The checks include:
- Address confirmation/electoral roll checks;
- Address history checks;
- Alias check;
- Identity verification/passport validation/right to work check;
- Financial search via credit reference agencies (CRAs) including credit check, county court judgments, insolvencies and bankruptcy orders;
- Checks with HM Treasury, UK FCA, Lloyds Insurance Markets, CIA Head of State Enforcement, Government databases & related global sanctions, OFAC, law enforcement actions, black, watch and PEP (politically exposed persons) lists for involvement in/association with fraud, money laundering, or the funding of terror, drugs and related illegal activities.
- Basic DBS Check;
- Cifas employee fraud check (Cifas consumer check carried out via CRAs);
- Adverse media analysis;
- Verification of professional qualifications;
- Employment verification covering a period of three years; and
- Educational verification to most appropriate level - normally highest level achieved.
If your role is captured under the Senior Manager and Certification Regime or you are a Non-Executive Director additional checks are required as detailed below:
- Directorships, company listings and conflict of interest searches;
- Standard DBS check for unspent convictions, cautions & reprimands;) and
- Regulatory references covering a period of six years.
The consequences of these checks may mean that we do not progress your application for a job vacancy or may result in either your offer of employment or engagement being withdrawn or termination of employment or engagement
If your role is captured under the Senior Manager and Certification Regime or you are a Non-Executive Director, we will continue to undertake the following checks on at least an annual basis while you are employed by us or engaged with us, to comply with legal obligations regarding fitness and propriety:
- Identity verification/passport validation/right to work check;
- Financial search via CRAs including credit check, county court judgments, insolvencies and bankruptcy orders;
- Directorships search for any company listings;
- Checks with HM Treasury, UK FCA, Lloyds Insurance Markets, CIA Head of State Enforcement, Government databases & related global sanctions, OFAC, law enforcement actions, black, watch and PEP (politically exposed persons) lists for involvement in/association with fraud, money laundering, or the funding of terror, drugs and related illegal activities;
- Adverse press analysis;
- Basic DBS Check;
- Cifas check (Cifas consumer check carried out via CRAs).
The outputs of these checks may require further investigation, the consequences of which could mean that we can no longer allow you to perform the role and are required to notify the regulators. The results of these annual checks are erased once the annual certificate of fitness and propriety has been signed.
Credit reference agencies provide us with a personnel vetting report which is classed as a soft search. This means you can see our search but it is not visible to others who request a credit reference check on you.
In order to fulfil the checks completed during the recruitment process, including if you transfer to a different role internally, and on an ongoing basis the applicable agencies and databases are used as outlined below.
We use Equifax and TransUnion as our credit reference agencies. More information about Equifax and TransUnion and how they process your personal data is available at: www.equifax.co.uk/crain and www.transunion.co.uk/crain.
The fraud prevention databases we use for these checks is provided by Cifas - The UK's Fraud Prevention Service and Lexis Nexis. Further information can be found at www.cifas.org.uk and www.lexisnexis.co.uk/.
Our third party provider, PeopleCheck, use the UK Disclosure Barring Service or Disclosure Scotland to complete criminal convictions checks on our behalf. More information can be found at www.gov.uk/government/organisations/disclosure-and-barring-service or www.mygov.scot/organisations/disclosure-scotland/
To complete verification of educational history, alongside direct contact with the relevant institutions our third party provider PeopleCheck use HEDD. Further information can be found at www.hedd.ac.uk/
We investigate crime, fraud, other relevant seriously improper conduct or money laundering suspicions, including sanctions violations that involve personnel. These investigations require us to process personal data held by us and by credit reference agencies or fraud prevention agencies.
If our investigations identify a fraud or money laundering or sanctions risk, or the commission of any other criminal offence or other relevant seriously improper conduct by you when applying for or during the course of your employment or engagement with us, your application for a job vacancy or engagement may be refused, or your employment or existing engagement may be terminated, or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally). A record of any fraudulent or relevant seriously improper conduct by you will be recorded with the relevant fraud prevention agencies and will be retained by them for up to six years. The record may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided.
We, and fraud prevention agencies, may enable law enforcement agencies or relevant authorities to access and use your personal data to detect, investigate and prevent crime.
The fraud prevention databases we use are provided by Cifas and Lexis Nexis.
From time to time, we may want to use personal information to test our products, internal systems and services, and the systems and services of third party service providers. This can involve personal information being shared with and obtained from third party service providers, wherever possible, this information is processed on an anonymised basis.
This privacy statement contains links to third party websites. We accept no responsibility or liability for the content of third party websites which are not under our strict control, in particular, we are not responsible for the protection and privacy of any information which you provide whilst visiting other websites and such sites are not governed by this Fair Processing Notice. Please see section titled 'Access to Website' in our Website Terms and Conditions for further details.
Emails sent via the internet can be subject to interception, loss or possible alteration, therefore we cannot guarantee their security. Although we will do our best to protect your personal data, we cannot guarantee the security of your data sent by email and therefore will have no liability to you for any damages or other costs in relation to emails sent by you to us via the internet.
More information on how your personal data may be used to manage Information Security risks is set out in the STBG Acceptable Use Policy. New personnel are required to read and agree to the terms of the Policy before being given access to any system or data belonging to STBG. Personnel are expected to reiterate this agreement on a periodic basis.
We will keep this privacy statement under review and make updates from time to time. We will notify you of any major changes which will affect the processing of your personal data, for example if we change the credit reference agencies we use. We may make minor changes (such as to correct typographical errors, or to add information about other services which do not affect your personal data at this time) without notifying you, but shall make such information available on the Hive.
You have the right to request copies of certain items of your personal information within our custody and control and details of how we use that information. Your request can be made verbally or in writing.
If you think any of the personal information we hold about you is inaccurate, please request it is corrected or erased.
You also have rights, in certain circumstances:
- to object to our processing of your personal information;
- to require us to stop or restrict the processing of your personal information; and/or
- to withdraw your agreement to processing based on 'consent'.
DATA PROTECTION OFFICER
If you are unhappy about how your personal data has been used, please contact our Data Protection Officer using the details set out below. You also have a right to complain to the Information Commissioner's Office (https://ww.ico.org.uk), which regulates the processing of personal data.
Our Data Protection Officer can be contacted by telephone or in writing:
Data Protection Officer
Secure Trust Bank
One Arleston Way
Solihull, B90 4LH
Telephone queries can be made to: 0121 693 9100.
Updated: December 2021