Use of personal data

Secure Trust Bank Group comprises Secure Trust Bank PLC, V12 Retail Finance Limited, Debt Managers (Services) Limited and STB Leasing Limited ("we", "our", "us"). We hold and process data on current and former employees, individual contractors, applicants, interview candidates, agency workers, consultants, directors and third parties whose information you provide to us in connection with our relationship (e.g. next-of-kin, emergency contact information and/or dependents) ("you" or "your").

We act as a "controller", and in doing so, we take your data protection rights and our legal obligations seriously. Your personal data will be treated in a secure and confidential manner and only as set out below.

When we use "we" in this notice we mean us or anyone acting on our behalf. See 'How we share your information' section for details of those acting on our behalf.

Please read this privacy statement carefully as it contains important information to help you understand our practices regarding any personal data that you give to us.

If you are applying for a job and do not agree with any part of this privacy statement, you should not continue with your application. You can contact our recruitment team on 0121 693 9155 or This email address is being protected from spambots. You need JavaScript enabled to view it..

When we collect information

Candidates:

We collect personal data:

  • directly when you register interest about a job vacancy with us;
  • directly during the course of considering an application for a job vacancy, on our website, in an interview, in writing or over the phone (including via call recording);
  • indirectly from a recruitment agency which helps arrange the application for you;
  • indirectly from third parties including your former employers, tax authorities, and where permitted by law depending on the role that you are applying for, credit reference agencies and fraud prevention agencies (see below).

Personnel, including current and former employees, individual contractors, applicants, agency workers, consultants, directors:

We collect personal data:

  • directly from you and from observing you during your employment or engagement with us, in person, in notes of one to one meetings, performance assessments and discussions with your line manager, on the intranet or over the phone;
  • indirectly from third parties including tax authorities, or providers of the flexible benefits you opt for, and where permitted by law depending on your role, credit reference agencies and fraud prevention agencies (see below);
  • that is recorded in building access and IT systems access records;
  • that is recorded in attendance records for training, meetings and events you participate in; and
  • that is recorded on CCTV in and around our offices.

Third Parties, including next-of-kin, emergency contact information and/or dependants:

We collect personal data indirectly from the relevant Candidate or Personnel connected to us.

What personal data we collect and process

This personal data includes your:

  • name, including any previous names;
  • date of birth;
  • address, and your address history;
  • telephone number;
  • email address;
  • National insurance number;
  • passport information;
  • driving licence;
  • bank details;
  • credit history, and records relating to your partner or anyone else you are financially linked with (we receive this information from the credit reference agencies and fraud prevention agencies);
  • employment history;
  • salary, benefits and taxation information;
  • qualifications, training and competency records;
  • information relating to your performance in the role;
  • information regarding your emergency contacts and any dependants (if you provide this);
  • identifiers assigned to your computer or other internet connected device including your IP address;
  • information linked to your mobile telephone number (company mobile phone or your own mobile phone when signed into the free wi-fi access points in STB offices);
  • information you make public (for example on social media and public registers);
  • candidate recruitment data: CV and application, interview and assessment records, information from competence and background checks including qualifications and references, evidence of eligibility to work;
  • personnel claims, complaints and disclosures data: termination arrangements and payments, subject matter of employment based litigation and complaints, personnel involvement in incident reporting and disclosures; and
  • personnel monitoring data: call recordings, building access and IT systems access records, CCTV footage, data caught by IT security programmes and filters.

For candidates, where information fields are marked as mandatory on any application form that you complete, if you do not provide such information we will be unable to continue with your application.

For personnel, failure to provide any mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, it could prevent us from being able to pay you.

Special Categories of Personal Data

We may also collect and process a limited amount of personal data falling into special categories, sometimes called "sensitive personal data". Special categories of personal data include information about an individual's health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation. Other categories of personal data are also considered sensitive and therefore are closely protected (e.g. criminal convictions).

As part of our competence and background checks, we conduct criminal disclosure checks with the Disclosure & Barring Service in order to comply with our legal obligations to manage and control risk or for the prevention of financial crime and money laundering. See 'Competence and background checks' section for more details.

If you have voluntarily provided health information to us (for example, where you have notified us of an illness, disability or impairment), we process that information for the limited purpose of making reasonable adjustments to help you work safely and effectively.

Candidates have the opportunity to provide certain diversity information on a voluntary basis to assist us in monitoring how our policy on equal opportunities is working in practice, in accordance with the Equality Act 2010.

Purpose and legal basis for processing personal data

Your personal data are collected and processed for various business purposes, in accordance with applicable laws and any applicable employment agreements/engagement contracts. In limited circumstances, personal data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigations or disciplinary proceedings).

We process your personal data under one of the following bases:

  • the processing is necessary for our legitimate interests (as set out in the section below);
  • the processing is necessary for compliance with a legal obligation to which we are subject; or
  • the processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract.
Purpose Legal Basis (As set out under applicable data protection law - for more details click here)
Recruitment  
To manage job applications and assess candidates for vacancies within the Group;
  • Legitimate interests for recruitment purposes to assess applicants for vacancies within the Group, including applicants who are not selected for the initial role they apply for.
To conduct background checks, including verifying identity and address, validating education, certificates and qualifications, obtaining references, credit reference, criminal records and other relevant poor conduct checks and evidence of gaps in employment. See 'Competence and background checks' section;
  • To comply with legal obligations for Senior Managers Function and Certified Function roles.
  • Legitimate interests to manage and control employee risk-including preventing fraud and seriously improper conduct.
To obtain evidence of eligibility to work in the UK;
  • To comply with legal obligations in the Immigration Act.
To assess suitability and capability of candidates, including psychometric assessments for certain roles; and
To document the interview process and assess candidate competence;
  • To comply with legal obligations for Senior Managers Function and Certified Function roles.
  • Legitimate interests for recruitment purposes to ensure that we fully assess applications for employment to ensure that only suitable and appropriate candidates are assessed and selected.
  • If special categories of personal data are processed - necessary to carry out obligations and exercise specific rights as employer or to assess occupational health and/or reasonable adjustment requirements.
To enter into and carry out a contract of employment;
  • Necessary to perform the contract of employment.
To monitor the equal opportunities policy;
  • To comply with legal obligations, in particular the Equality Act 2010.
  • Legitimate interests to prevent discrimination and promote an inclusive and diverse workplace.
During Employment /Engagement with us  
To process payroll and out of pocket expenses;
  • Necessary to perform the contract of employment.
To manage absence, both planned and unplanned and validate fitness and ability to return to work;
  • Legitimate interests for absence management.
  • To comply with employment law
  • To comply with statutory obligations to assess ability to return to work and any adjustments required.
To conduct competence checks, including verifying address history, obtaining credit reference, criminal records and other relevant poor conduct checks. See 'Competence and background checks' section;
  • Legitimate interests to manage employee risks, including preventing fraud and seriously improper conduct.
  • To comply with legal obligations for Senior Managers Function and Certified Function roles.
For training purposes and to review or enhance performance. This may involve quality assurance reviews, including of call recording for contact centre roles;
Performance may be investigated as part of a grievance or disciplinary process;
  • Legitimate interests for performance management.
  • To comply with statutory obligations for competence in certain roles and other professional bodies' requirements.
  • To comply with employment law obligations.
To benchmark salary and benefits (where possible on an anonymised basis);
  • Legitimate interests to assess salary and benefits packages.
To provide flexible benefits as part of the employee benefits package;
  • Necessary to perform the contract for the optional benefits selected.
To provide hotel accommodation, company or hire cars;
  • Legitimate interests to facilitate travel for business purposes.
To schedule and manage attendance for contact centre resourcing requirements;
  • Legitimate interests to manage resource requirements.
To maintain governance records, including conflicts of interest register, gifts and hospitality log, confidential information lists, staff sharedealing disclosures, and lists of persons discharging material responsibility;
  • To comply with legal obligations in the Financial Services and Markets Act and corporate governance requirements.
Security and Health & Safety  
To monitor access to the Group's offices and restricted areas, and to IT systems and applications ;
  • Legitimate interests to manage and control information security risk.
  • To comply with legal obligations for prevention of financial crime.
To validate drivers' licence and insurance policy if in receipt of car allowance;
  • To comply with Health & Safety legal obligations.
For contacting employees in the event of an emergency or as part of annual testing;
  • Legitimate interests for business continuity.
Complying with Legal Obligations  
To prevent, investigate and prosecute crime, fraud and money laundering;
  • To comply with legal obligations for prevention of financial crime and money laundering.
To check if you have an account with Secure Trust Bank Group or one of our debt collection clients;
  • To comply with legal obligations to manage conflicts of interest.
If we are obliged to disclose information by reason of any law, regulation or court order;
  • To comply with legal obligations.
Other  
For auditing purposes;
  • To comply with legal obligations to conduct audits.
Event logs are maintained on wireless network access points to troubleshoot issues and investigate high usage for company provided mobile phones;
  • Legitimate interests for commercial interests.
To transfer information to any entity which may acquire rights in us;
  • Legitimate interests for commercial interests.
To administer the Sharesave Plan for employees that opt to participate and other participants in discretionary share schemes;
  • Necessary to perform the contract.
Other purposes permitted by applicable laws, including legitimate interests pursued by us where these are not overridden by the interests or fundamental rights and freedoms of staff.  

We process Special Categories of Personal Data under one of the following bases:

  • the processing is necessary to comply with our legal obligations under employment, health and safety and social security law;
  • the processing is necessary for the assessment of your working capacity, medical diagnosis, or the provision of health care or treatment;
  • the processing is necessary to protect your or another person's vital interests where you are physically or legally incapable of giving consent (for example in exceptional situations such as a medical emergency); or
  • the processing is necessary for the establishment, exercise or defence of legal claims.
Purpose Legal Basis (As set out under applicable data protection law - for more details click here)
To provide statutory incapacity or maternity benefits;
To comply with legal obligations in managing your employment or engagement with us;
To make reasonable accommodations or adjustments; and
To avoid unlawful discrimination.
  • To comply with legal obligations under employment, health and safety and social security law, to assess ability to return to work and any adjustments required
To manage and investigate any complaint under our grievance policy (or other relevant policies)
  • To comply with legal obligations under employment, health and safety and social security law.

We may seek your consent to certain processing which is not based on one of the above bases. You should be aware that it is not a condition or requirement of your employment or engagement with us to agree to any request for consent from us.

How we retain your information

We take reasonable steps to destroy or anonymise personal data we hold if it is no longer needed for the purposes set out above.

Set out below is more detail on our relevant retention periods:

Type of personal data Retention period
General personal data - this includes the categories of normal personal data and personal identity 6 years after the end of employment/engagement.
Candidate information is retained for 6 months after the last activity on our careers website. Although candidates can delete their profile at any time.
Certain information is not retained after the end of employment, for example details of next of kin or beneficiaries for death in service benefits.
Special categories of personal data may be captured if voluntarily provided to us 6years after the end of employment/engagement.
Special categories of personal data will be erased if you no longer want us to retain the information (see 'We respect your rights' section for details on how to request erasure).
Personal financial data Records of salary and taxation are retained for 6 years after the end of the relevant tax year.
Personal location data Attendance records for training6 years after the end of employment/engagement.
Corporate card statements and expense claims are retained for 6 years, these may identify location of employees.
Location data is retained for up to 30 days for company mobile phones; and for employees' own mobile phones when signed into the free wi-fi access points in STB offices.
Call recordings (contact centres only) 1 year.
Mortgage arrears handling calls - 3 years.
CCTV - digital images Max 90 days.

How we share your information

The recipients with whom we share personal data are:

  • Our third party service providers who act on our instruction and need to know the information in order to provide us or you with a service;
  • Our third party service providers (including private medical care if included in your contract of employment) who act as controller in delivering flexible benefits to you;
  • Our third party service providers who act on our instruction and process information on our behalf to help run some of our business operations including competence and background checks (People Check), surveys and assessments, training, email distribution, storage of HR records, our HR careers portal, IT services and websites, and benchmarking;
  • our advisors, for the purpose of assisting us to better manage, support or develop our employees and comply with our legal and regulatory obligations;
  • our regulators (including the Prudential Regulation Authority, Financial Conduct Authority and Information Commissioner's Office) to comply with our legal and regulatory obligations;
  • entities who may or do acquire any rights in us for the purpose of a business sale or reorganisation;
  • credit reference agencies (Equifax and Call Credit) and fraud prevention agencies (including Cifas) - see sections below 'Competence and background checks' and 'For crime and fraud prevention and anti-money laundering');
    HMRC; and
  • law enforcement bodies in order to comply with any legal obligation or court order.

Transfer outside of the EEA

Recipients with whom we share your personal data, for example our service providers, may be located in the UK, other countries in the European Economic Area or elsewhere in the world. Different privacy laws may apply in these countries.

Whenever we or our service providers transfer your personal data outside of the European Economic Area, we or they impose the standard contractual obligations approved by the European Commission on the recipients of that information to protect your personal data to the standard required in the European Economic Area or may require the recipient to subscribe to 'international frameworks'. More details on the standard contractual obligations and the international frameworks are available on the ICO's website, or to obtain a copy of the relevant documented data safeguard (some details of which may be redacted for confidentiality reasons) you can contact our Data Protection Officer on the details below.

Competence and background checks

As part of our recruitment process, we complete background checks. Some of these checks are conducted by People Check on our behalf. This requires us to process your personal data with the credit reference agencies and fraud prevention agencies, and the Disclosure & Barring Service for criminal convictions and pending proceedings.

The checks include:

  • verifying your identity and address;
  • verifying your right to work in the UK;
  • validating your education, any certificates and qualifications;
  • obtaining references from your previous employers (normally over five years) and evidence of any gaps in employment history;
  • credit reference checks (Equifax and Call Credit);
  • basic criminal disclosure checks for unspent convictions;
  • checks against fraud prevention databases (including CIFAS);
  • checks against global sanctions, black, watch and politically exposed persons lists;
  • press analysis and web footprint assessment;
  • verification of any regulatory authorisations (if any).

Additional checks maybe carried out for some more senior, regulated or sensitive roles and these additional checks include:

  • confirmation of address history;
  • detailed financial search including credit reference check, county court judgements, insolvencies and bankruptcy orders;
  • directorships, company listings and conflict of interest searches;
  • obtaining two professional references;
  • verification of professional qualifications;
  • standard criminal disclosure check for unspent convictions, cautions & reprimands;
  • validating regulatory references.

The consequences of these checks may mean that we do not progress your application for a job vacancy. The credit reference report is deleted once probation is successfully completed.

For some more senior, regulated or sensitive roles, we continue to undertake the following checks on at least an annual basis while you are employed by us, to comply with legal obligations regarding fitness and propriety:

  • credit reference checks;
  • basic criminal disclosure checks (unspent convictions);
  • checks against fraud prevention databases (including CIFAS);
  • checks against global sanction, black, watch and politically exposed persons lists;
  • press analysis and web footprint assessment.

The outputs of these checks may require further investigation, the consequences of which could mean that we can no longer allow you to perform the role and need to notify the regulators.

The results of these annual checks on senior, regulated or sensitive roles are erased once the annual certificate of fitness and propriety has been signed.

We use Equifax and Call Credit as our credit reference agencies. More information about Equifax and Call Credit and how they process your personal data is available at: www.equifax.co.uk/crain and www.callcredit.co.uk/crain.

The fraud prevention databases we use for these checks is provided by CIFAS - The UK's Fraud Prevention Service and Lexis Nexis. Further information can be found at www.cifas.org.uk and www.lexisnexis.co.uk/.

For crime and fraud prevention and anti-money laundering

We investigate crime, fraud, other relevant seriously improper conduct or money laundering suspicions that involve employees. These investigations require us to process personal data held by us and by credit reference agencies or fraud prevention agencies.

If our investigations identify a fraud or money laundering risk, or the commission of any other criminal offence or other relevant seriously improper conduct by you when applying for or during the course of your employment or engagement with us, your application for a job vacancy or engagement may be refused, or your employment or existing engagement may be terminated, or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally). A record of any fraudulent or relevant seriously improper conduct by you will be recorded with the relevant fraud prevention agencies and will be retained by them for up to six years. The record may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided.

We, and fraud prevention agencies, may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

The fraud prevention databases we use are provided by CIFAS and Lexis Nexis.

Third party websites

Our website contains links to other websites. We accept no responsibility or liability for the content of other websites which are not under our strict control, in particular, we are not responsible for the protection and privacy of any information which you provide whilst visiting other websites and such sites are not governed by this Fair Processing Notice. Please see section titled 'Access to Website' in our Website Terms and Conditions for further details.

Email

Emails sent via the internet can be subject to interception, loss or possible alteration, therefore we cannot guarantee their security. Although we will do our best to protect your personal data, we cannot guarantee the security of your data sent by email and therefore will have no liability to you for any damages or other costs in relation to emails sent by you to us via the internet.

Cookies

Our website uses cookies (including Google Analytics cookies to obtain an overall view of visitor habits and visitor volumes to our Website). To view more information on what cookies we use and how we use them please click here to review our separate Cookie Policy.

Information Security

More information on how your personal data may be used to manage Information Security risks is set out in the STBG Acceptable Use Policy. New workers are required to read and agree to the terms of the Policy before being given access to any system or data belonging to STBG. Workers are expected to reiterate this agreement on a periodic basis.


Updates

We will keep this privacy statement under review and make updates from time to time. We will notify you of any major changes which will affect the processing of your personal data, for example if we change the credit reference agencies we use. We may make minor changes (such as to correct typographical errors, or to add information about other services which do not affect your personal data at this time) without notifying you, but shall make such information available on the Hive.

Your data protection rights

You have the right to request copies of certain items of your personal information within our custody and control and details of how we use that information. Your request should be made in writing.

If you think any of the personal information we hold about you is inaccurate, please request it is corrected or erased.

You also have rights, in certain circumstances:

  • to object to our processing of your personal information;
  • to require us to stop or restrict the processing of your personal information; and/or
  • to withdraw your agreement to processing based on 'consent'.

In relation to all of these rights, please write to us at the address below. Please note that we may request proof of identity when we receive your request.

Data Protection Officer

If you are unhappy about how your personal data has been used, please contact our Data Protection Officer using the details set out below. You also have a right to complain to the Information Commissioner's Office (https://ww.ico.org.uk), which regulates the processing of personal data.

Our Data Protection Officer can be contacted by telephone or in writing:

Data Protection Officer
Secure Trust Bank
One Arleston Way
Solihull, B90 4LH
Telephone queries can be made to: 0121 693 9100.