Privacy Statement

Use of personal data

Secure Trust Bank Group comprises Secure Trust Bank PLC and V12 Retail Finance Limited ("we", "our", "us"). We hold and process data on current and former employees, individual contractors, applicants, interview candidates, agency workers, consultants, directors and third parties whose information you provide to us in connection with our relationship (e.g. next-of-kin, emergency contact information and/or dependents) ("you" or "your").

We act as a "controller", and in doing so, we take your data protection rights and our legal obligations seriously. Your personal data will be treated in a secure and confidential manner and only as set out below.

When we use "we" in this notice we mean us or anyone acting on our behalf. See 'How we share your information' section for details of those acting on our behalf.

Please read this privacy statement carefully as it contains important information to help you understand our practices regarding any personal data that you give to us.

If you are applying for a job and do not agree with any part of this privacy statement, you should not continue with your application. You can contact our recruitment team at This email address is being protected from spambots. You need JavaScript enabled to view it..

When we collect information

Candidates:

We collect personal data:

directly when you register interest about a job vacancy with us;
directly during the course of considering an application for a job vacancy, on our website, in an interview, in writing or over the phone (including via recording of calls or video conferencing technology);
indirectly from a recruitment agency which helps arrange the application for you;
indirectly from third parties including your former employers, tax authorities, credit reference agencies and fraud prevention agencies .

Personnel, including current and former employees, individual contractors, applicants, agency workers, consultants, directors:

We collect personal data:

directly from you and from observing you during your employment or engagement with us, in person, in notes of one to one meetings, performance assessments and discussions with your line manager, on the intranet or over the phone;
indirectly from third parties including tax authorities, or providers of the flexible benefits you opt for, and credit reference agencies and fraud prevention agencies;
that is recorded in building access, CCTV in and around our offices and IT systems access records, and in your activity on IT systems and;
that is recorded in attendance records for training, meetings and events you participate in, contact centre scheduling and resourcing systems.

Third Parties, including next-of-kin, emergency contact information and/or dependents:

We collect personal data indirectly from the relevant Candidate or Personnel connected to us.

What personal data we collect and process

This personal data includes your:

name, including any previous names;
date of birth;
gender;
address, and your address history;
telephone number;
email address;
National insurance number;
passport information;
nationality;
driving licence (where applicable);
car insurance information (where applicable);
bank details;
credit history, and names of your partner or anyone else you are financially linked with (we receive this information from the credit reference agencies and fraud prevention agencies);
employment history;
salary, benefits and taxation information;
qualifications, training and competency records;
information relating to your performance in the role, attendance and absence records;
information regarding your emergency contacts and any dependents (if you provide this);
identifiers assigned to your computer or other internet connected device including your IP address;
information linked to your mobile telephone number (company mobile phone or your own mobile phone when signed into the free wi-fi access points in STB offices);
publicly available information (for example on the internet, social media and public registers);
recruitment data: CV and application, interview and assessment records;
information from competence and background checks including qualifications and references;
evidence of eligibility to work;
personnel claims, complaints and disclosures data: termination arrangements and payments, subject matter of employment based litigation and complaints, personnel involvement in incident reporting and disclosures;
personnel monitoring data: recordings of electronic communications, video conferencing technology and calls, building access and IT systems access records, CCTV footage, data caught by IT security programmes and filters;
information about unspent criminal convictions or pending prosecutions relating to any aspect of dishonesty which may have a bearing on your employment;
information about cautions, warnings, reprimands, as well as spent and unspent convictions which may have a bearing on your employment (only applicable for roles captured under the Senior Managers and Certification Regime);
information relating to how you conduct an account with the Group if you have one.

For candidates, where information fields are marked as mandatory on any application form that you complete, if you do not provide such information we will be unable to continue with your application.

For personnel, failure to provide any mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, it could prevent us from being able to pay you.

Special Categories of Personal Data

We also collect and process a limited amount of personal data falling into special categories, sometimes called "sensitive personal data". Special categories of personal data include information about an individual's physical or mental health or condition, biometric and genetic data, racial or ethnic origin, political opinions, religious beliefs or other philosophical beliefs of a similar nature, trade union membership, or sex life and sexual orientation.

Criminal offence information is not defined as special categories of personal data, however, this information does require additional protections. Criminal offence information covers information related to convictions and offences, including alleged offences, court proceedings, and sentencing.

As part of our competence and background checks, we conduct criminal disclosure checks with the Disclosure & Barring Service (DBS). See 'Competence and background checks' section for more details.

If you have voluntarily provided health information to us (for example, where you have notified us of an illness, disability or impairment), we process that information for the limited purpose of making reasonable adjustments to help you work safely and effectively.

You have the opportunity to provide certain diversity information to assist us in monitoring how our policy on equal opportunities is working in practice, in accordance with the Equality Act 2010.

Purpose and legal basis for processing personal data

Your personal data is collected and processed for various business purposes, in accordance with applicable laws and any applicable employment agreements/engagement contracts. In limited circumstances, personal data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigations or disciplinary proceedings).

We process your personal data under one of the following bases:

the processing is necessary for our legitimate interests (as set out in the section below);
the processing is necessary for compliance with a legal obligation to which we are subject; or
the processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract.

Purpose	Legal basis (As set out under applicable data protection law - for more details click here)
Recruitment
To manage job applications and assess candidates for vacancies within the Group;	• Legitimate interests for recruitment purposes to assess applicants for vacancies within the Group, including applicants who are not selected for the initial role they apply for.
To conduct competence and background checks, and fitness and propriety checks. See 'Competence and background checks' section;	• To comply with legal obligations for Senior Managers Function and Certified Function roles. • Legitimate interests to manage and control employee risk, including preventing fraud and seriously improper conduct.
To obtain evidence of eligibility to work in the UK;	• To comply with legal obligations in the Immigration Act.
To assess suitability and capability of candidates, including psychometric assessments for certain roles; and To document the interview process and assess candidate competence;	• To comply with legal obligations for Senior Managers Function and Certified Function roles. • Legitimate interests for recruitment purposes to ensure that we fully assess applications for employment to ensure that only suitable and appropriate candidates are assessed and selected. • If special categories of personal data are processed - necessary to carry out obligations and exercise specific rights as employer or to assess occupational health and/or reasonable adjustment requirements.
To enter into and carry out a contract of employment;	• Necessary to perform the contract of employment.
To monitor the equal opportunities policy;	• To comply with legal obligations, in particular the Equality Act 2010. • Legitimate interests to prevent discrimination and promote an inclusive and diverse workplace.
During Employment / Engagement with us
To process payroll and out of pocket expenses;	• Necessary to perform the contract of employment.
To manage absence, both planned and unplanned and validate fitness and ability to return to work;	• Legitimate interests for absence management. • To comply with employment law • To comply with statutory obligations to assess ability to return to work and any adjustments required.
To conduct competence checks, including verifying address history, obtaining credit reference, adverse media, criminal records and other relevant poor conduct checks. See 'Competence and background checks' section;	• Legitimate interests to manage employee risks, including preventing fraud and seriously improper conduct. • To comply with legal obligations for Senior Managers Function and Certified Function roles.
For training purposes and to review or enhance performance. This may involve quality assurance reviews, including of call recording for contact centre roles, and may utilise analytics tools, such as speech analytics;	• Legitimate interests for performance management. • To comply with statutory obligations for competence in certain roles and other professional bodies' requirements. • To comply with employment law obligations.
To investigate performance as part of a grievance or disciplinary process;	• Legitimate interests for managing capability and competence. • To comply with legal obligations for investigations related to employment law obligations and Conduct Rules.
To benchmark salary and benefits (where possible on an anonymised basis);	• Legitimate interests to assess salary and benefits packages.
To fulfil our recognition and reward proposition	• Legitimate interests to process our STBG recognition programme.
To provide flexible benefits as part of the employee benefits package;	• Necessary to perform the contract for the optional benefits selected.
To provide hotel accommodation, company or hire cars;	• Legitimate interests to facilitate travel for business purposes.
To schedule and manage attendance for contact centre resourcing requirements using workforce management tools;	• Legitimate interests to manage resource requirements.
To maintain governance records, including conflicts of interest register, gifts and hospitality log, confidential information lists, staff sharedealing disclosures, and lists of persons discharging material responsibility;	• To comply with legal obligations in the Financial Services and Markets Act and corporate governance requirements.
To monitor the equal opportunities policy;	• To comply with legal obligations, in particular the Equality Act 2010. • Legitimate interests to prevent discrimination and promote an inclusive and diverse workplace.
Security and Health & Safety
To monitor access to the Group's offices and restricted areas, and use of IT systems and applications ;	• Legitimate interests to manage and control information security risk and the risk of misconduct. • To comply with legal obligations for prevention of crime and financial crime.
To validate drivers' licence and insurance policy if in receipt of of company car or car allowance;	• To comply with Health & Safety legal obligations.
For contacting employees in the event of an emergency or as part of annual testing;	• Legitimate interests for business continuity.
For contacting personnel in the event of a Health & Safety emergency;	• Legitimate interests to provide information to relevant authorities.
Complying with Legal Obligations
To prevent, investigate and prosecute crime, fraud, money laundering or sanctions violations;	• To comply with legal obligations for prevention of financial crime and money laundering or sanctions violations.
To check if you have an account with Secure Trust Bank Group or one of our debt collection clients;	• To comply with legal obligations to manage conflicts of interest.
To investigate a whistleblowing report made by you if you choose not to remain anonymous;	• To comply with legal obligations related to whistleblowing arrangements.
If we are obliged to disclose information by reason of any law, regulation or court order;	• To comply with legal obligations.
Other
For financial planning and management, risk management or auditing purposes;	• To comply with legal obligations including accounting, audit and risk management standards and requirements for listed companies.
Event logs are maintained on wireless network access points to troubleshoot issues and investigate high usage for company provided mobile phones;	• Legitimate interests for commercial interests.
To transfer information to any entity which may acquire rights in us;	• Legitimate interests for commercial interests.
To administer the Sharesave Plan for employees that opt to participate and other participants in discretionary share schemes;	• Necessary to perform the contract.
To test systems or third party services (see 'Testing' section);	• Legitimate interests to develop our products, systems and services
Other purposes permitted by applicable laws, including legitimate interests pursued by us where these are not overridden by the interests or fundamental rights and freedoms of staff.

We process Special Categories of Personal Data under one of the following conditions:

the processing is necessary to comply with our legal obligations under employment, health and safety and social security law;
the processing is necessary for the assessment of your working capacity, medical diagnosis, or the provision of health care or treatment;
the processing is necessary to protect your or another person's vital interests where you are physically or legally incapable of giving consent (for example in exceptional situations such as a medical emergency);
the processing is necessary for the establishment, exercise or defence of legal claims; and
the processing is necessary for substantial public interest (for example equality and diversity).

Purpose	Legal basis (As set out under applicable data protection law - for more details visit ICO website)
To provide statutory incapacity or maternity benefits; To comply with legal obligations in managing your employment or engagement with us; To make reasonable accommodations or adjustments; To avoid unlawful discrimination; and To provide an inclusive and diverse workplace.	• To comply with legal obligations under employment, health and safety and social security law, to assess ability to return to work and any adjustments required • To comply with legal obligations, in particular the Equality Act 2010. • Legitimate interests to prevent discrimination and promote an inclusive and diverse workplace.
To manage and investigate any complaint under our grievance policy (or other relevant policies)	• To comply with legal obligations under employment, health and safety and social security law.

Purpose

Legal basis (As set out under applicable data protection law - for more details visit ICO website)

To provide statutory incapacity or maternity benefits;

To comply with legal obligations in managing your employment or engagement with us;

To make reasonable accommodations or adjustments;

To avoid unlawful discrimination; and

To provide an inclusive and diverse workplace.

• To comply with legal obligations under employment, health and safety and social security law, to assess ability to return to work and any adjustments required

• To comply with legal obligations, in particular the Equality Act 2010.

• Legitimate interests to prevent discrimination and promote an inclusive and diverse workplace.

To manage and investigate any complaint under our grievance policy (or other relevant policies)

• To comply with legal obligations under employment, health and safety and social security law.

We process criminal offence data under the legal basis that the processing is necessary for substantial public interest (for example prevention or detection of unlawful acts or dishonesty, or suspicion of terrorist financing or money laundering or sanctions violations).

We may seek your consent to certain processing which is not based on one of the above bases. You should be aware that it is not a condition or requirement of your employment or engagement with us to agree to any request for consent from us.

How we retain your information

We take reasonable steps to destroy or anonymise personal data we hold if it is no longer needed for the purposes set out above.

Set out below is a summary of our relevant retention periods, please ask HR for more information if needed.

Type of personal data	Retention period
General personal data - this includes the categories of normal personal data and personal identity	• 6 years after the end of employment/engagement. • Candidate information is retained for 12 months after the last activity on our careers website. Although candidates can delete their profile at any time. • Some information collected through competence and background checks is retained for less time. • Certain information is not retained after the end of employment, for example details of next of kin or beneficiaries for death in service benefits.
Special categories of personal data	• 6 years after the end of employment/engagement. • For candidates, 12 months from the recruitment decision. • See 'Your Data Protection Rights' section for details on how to request erasure.
Criminal offence data	• When provided by the Disclosure & Barring Service, details of the criminal offence will be destroyed 3 months after the competence and background checks process is complete. • A record of the decision will be retained with no reference to the offence for 6 years after the end of employment/engagement or for candidates - 6 months. • Where fraud or seriously improper conduct is investigated, details of the criminal offence, any investigation notes and the decision is retained for 6 years after the end of employment/engagement.
Personal financial data	• Records of salary and taxation are retained for 6 years after the end of the relevant tax year. • Financial searches via credit reference agencies are deleted at the end of probation or within 3 months of an internal move, however we retain a record that the check was completed.
Personal location data	• Attendance records for training 6 years after the end of employment/engagement. • Corporate card statements and expense claims are retained for 6 years, these may identify location of employees. • Location data is retained for up to 30 days for company mobile phones; and for employees' own mobile phones when signed into the free wi-fi access points in STB offices. • Building access records are retained for 90 days.
Call recordings (contact centres, reception, Financial Crime Operations and Customer Resolutions teams, IT service desk) Video conferencing technology Emails	• 12 months. • 6 months. • 3 years retention is set as standard, however, the sender or recipients may delete earlier or retain for longer.
CCTV - digital images	• Max 90 days.

How we share your information

The recipients with whom we share personal data are:

our third party service providers who act on our instruction and need to know the information in order to provide us or you with a service;
our third party service providers including Bupa who act as controller for private medical care if included in your contract of employment, Bupa and Workforce Wellbeing who act as controller for occupational health, and CLM who act as controller for providing company cars;
our third party service providers who act on out instruction and process information on our behalf in delivering flexible benefits to you (Personal Group via the Hapi platform);
our third party service providers including Zurich Insurance UK and Unum who act as controllers in providing Group Life Insurance policies;
our third party service providers who act on our instruction and process information on our behalf to help run some of our business operations including HR & payroll system, competence and background checks (People Check), surveys and assessments, training, email distribution, storage of HR records, our HR careers portal, IT services and websites, contact centre resourcing requirements, and benchmarking;
our third party service providers (Amazon, Funkypigeon.com and Hotel Chocolat) who act as a controller in delivering our rewards and recognition program;
our advisors, for the purpose of assisting us to better manage, support or develop our employees and comply with our legal and regulatory obligations;
our regulators or the relevant authorities (including the Prudential Regulation Authority, Financial Conduct Authority and Information Commissioner's Office) to comply with our legal and regulatory obligations or for our legitimate interests;
entities or third parties requesting a regulated reference under the Senior Manager and Certification Regime, as determined by the Prudential Regulation Authority and Financial Conduct Authority;
entities who may or do acquire any rights in us for the purpose of a business sale or reorganisation;
credit reference agencies (Equifax and TransUnion) and fraud prevention agencies (including Cifas and LexisNexis) - see sections below 'Competence and background checks' and 'For crime and fraud prevention and anti-money laundering');
HMRC; and
law enforcement bodies in order to comply with any legal obligation or court order.

Transfer outside of the EEA

Recipients with whom we share your personal data, for example our service providers, may be located in the UK, other countries in the European Economic Area or elsewhere in the world. Different privacy laws may apply in these countries.

Whenever we or our service providers transfer your personal data outside of the European Economic Area, we or they impose the standard contractual obligations approved by the relevant regulatory authorities on the recipients of that information to protect your personal data to the standard required in the European Economic Area or may require the recipient to subscribe to 'international frameworks' for example adequacy decisions. More details on the standard contractual obligations and the international frameworks are available on the ICO's website, or to obtain a copy of the relevant documented data safeguard (some details of which may be redacted for confidentiality reasons) you can contact our Data Protection Officer on the details below.

Competence and background checks

As part of our recruitment process, including if you transfer to a different role internally, and on an ongoing basis, we complete background checks. Some of these checks are conducted by People Check on our behalf. This requires us to process your personal data with the credit reference agencies and fraud prevention agencies, and the Disclosure & Barring Service for criminal convictions and pending proceedings.

The checks include:

Address confirmation/electoral roll checks;
Address history checks;
Alias check;
Identity verification/passport validation/right to work check;
Financial search via credit reference agencies (CRAs) including credit check, county court judgments, insolvencies and bankruptcy orders;
Checks with HM Treasury, UK FCA, Lloyds Insurance Markets, CIA Head of State Enforcement, Government databases & related global sanctions, OFAC, law enforcement actions, black, watch and PEP (politically exposed persons) lists for involvement in/association with fraud, money laundering, or the funding of terror, drugs and related illegal activities.
Basic DBS Check;
Cifas employee fraud check (Cifas consumer check carried out via CRAs);
Adverse media analysis;
Verification of professional qualifications;
Employment verification covering a period of three years; and
Educational verification to most appropriate level - normally highest level achieved.

If your role is captured under the Senior Manager and Certification Regime or you are a Non-Executive Director additional checks are required as detailed below:

Directorships, company listings and conflict of interest searches;
Standard DBS check for unspent convictions, cautions & reprimands; and
Regulatory references covering a period of six years.

The consequences of these checks may mean that we do not progress your application for a job vacancy or may result in either your offer of employment or engagement being withdrawn or termination of employment or engagement.

If your role is captured under the Senior Manager and Certification Regime or you are a Non-Executive Director, the outputs of these checks may require further investigation, the consequences of which could mean that we can no longer allow you to perform the role and are required to notify the regulators. The results of these annual checks are erased once the annual certificate of fitness and propriety has been signed.

Credit reference agencies provide us with a personnel vetting report which is classed as a soft search. This means you can see our search but it is not visible to others who request a credit reference check on you.

In order to fulfil the checks completed during the recruitment process, including if you transfer to a different role internally, and on an ongoing basis the applicable agencies and databases are used as outlined below.

We use Equifax and TransUnion as our credit reference agencies. More information about Equifax and TransUnion and how they process your personal data is available at: www.equifax.co.uk/crain and www.transunion.co.uk/crain.

The fraud prevention databases we use for these checks is provided by Cifas - The UK's Fraud Prevention Service and Lexis Nexis. Further information can be found at www.cifas.org.uk and www.lexisnexis.co.uk.

Our third party provider, PeopleCheck, use the UK Disclosure Barring Service or Disclosure Scotland to complete criminal convictions checks on our behalf. More information can be found at www.gov.uk/government/organisations/disclosure-and-barring-service or www.mygov.scot/organisations/disclosure-scotland

To complete verification of educational history, alongside direct contact with the relevant institutions our third party provider PeopleCheck use HEDD. Further information can be found at hedd.ac.uk

To facilitate the Right to Work check our third party provider PeopleCheck use Yoti. Further information can be found at www.yoti.com

For crime and fraud prevention and anti-money laundering

We investigate crime, fraud, other relevant seriously improper conduct or money laundering suspicions, including sanctions violations that involve personnel. These investigations require us to process personal data held by us and by credit reference agencies or fraud prevention agencies.

If our investigations identify a fraud or money laundering or sanctions risk, or the commission of any other criminal offence or other relevant seriously improper conduct by you when applying for or during the course of your employment or engagement with us, your application for a job vacancy or engagement may be refused, or your employment or existing engagement may be terminated, or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally). A record of any fraudulent or relevant seriously improper conduct by you will be recorded with the relevant fraud prevention agencies and will be retained by them for up to six years. The record may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided.

We, and fraud prevention agencies, may enable law enforcement agencies or relevant authorities to access and use your personal data to detect, investigate and prevent crime.

The fraud prevention databases we use are provided by Cifas and Lexis Nexis.

Testing

From time to time, we may want to use personal information to test our products, internal systems and services, and the systems and services of third party service providers. This can involve personal information being shared with and obtained from third party service providers, wherever possible, this information is processed on an anonymised basis.

Third party websites

This privacy statement contains links to third party websites. We accept no responsibility or liability for the content of third party websites which are not under our strict control, in particular, we are not responsible for the protection and privacy of any information which you provide whilst visiting other websites and such sites are not governed by this Fair Processing Notice. Please see section titled 'Access to Website' in our Website Terms and Conditions for further details.

Email

Emails sent via the internet can be subject to interception, loss or possible alteration, therefore we cannot guarantee their security. Although we will do our best to protect your personal data, we cannot guarantee the security of your data sent by email and therefore will have no liability to you for any damages or other costs in relation to emails sent by you to us via the internet.

Cookies

Our website (The Hive) uses cookies (including Google Analytics cookies to obtain an overall view of visitor habits and visitor volumes). To view more information on what cookies we use and how we use them please review our separate Cookie Policy.

Information security

More information on how your personal data may be used to manage Information Security risks is set out in the STBG Acceptable Use Policy. New personnel are required to read and agree to the terms of the Policy before being given access to any system or data belonging to STBG. Personnel are expected to reiterate this agreement on a periodic basis.

Updates

We will keep this privacy statement under review and make updates from time to time. We will notify you of any major changes which will affect the processing of your personal data, for example if we change the credit reference agencies we use. We may make minor changes (such as to correct typographical errors, or to add information about other services which do not affect your personal data at this time) without notifying you, but shall make such information available on the Hive.

Your data protection rights

You have the right to request copies of certain items of your personal information within our custody and control and details of how we use that information. Your request can be made verbally or in writing.

If you think any of the personal information we hold about you is inaccurate, please request it is corrected or erased.

You also have rights, in certain circumstances:

to object to our processing of your personal information;
to require us to stop or restrict the processing of your personal information; and/or
to withdraw your agreement to processing based on 'consent'.

In relation to all of these rights, your request can be made verbally or in writing to the address below or by email to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please note that we may request proof of identity when we receive your request.

Data Protection Officer

If you are unhappy about how your personal data has been used, please contact our Data Protection Officer using the details set out below. You also have a right to complain to the Information Commissioner's Office (https://ww.ico.org.uk), which regulates the processing of personal data.

Our Data Protection Officer can be contacted by telephone or in writing:

Data Protection Officer
Secure Trust Bank
Yorke House
Arleston Way
Solihull
B90 4LH

Telephone queries can be made to: 0121 693 9100.