Potential Employee Privacy Notice

Shawbrook Bank: Privacy notice for candidates, contractors, employees and other staff

Introduction

For the purposes of this privacy notice, the data controller of your personal information is Shawbrook Bank Limited of Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, CM13 3BE (the Bank, we, us and our). This is because, in its capacity as your employer or as the company with whom you have another contract for your services, it is the person who determines why and how your personal information is processed. It does this processing in connection with its employment or other relationship with you.

Who should read this privacy notice?

This privacy notice applies to all employees, staff, contractors, officers, consultants and temporary or agency workers of the Bank as well as candidates applying for roles at the Bank (you and your).

This privacy notice does not form part of your contract of employment or any other contract you have with us to provide your services.

Candidates who visit our offices for an interview and all our employees and other staff should note in addition that we process personal information recorded on CCTV.

We may provide supplementary privacy statements to you from time to time, for instance, on CCTV signage at our premises or within consent forms. In the event of any conflict, this Privacy Notice will prevail.

Who should recruitment agencies, employment agencies and recruitment consultants direct towards this privacy notice?

All temporary and agency workers who will be placed at the Bank and all candidates who apply for roles at the Bank. The Bank takes its own steps to make this privacy notice known to these individuals but all recruitment agencies, employment agencies and recruitment consultants are required to do the same.

What does personal information mean?

This means any information which, either by itself or when combined with other information that we hold or which is available to us, can be used to identify you.

How to contact us

Please contact our Data Protection Officer on 01277 751110 if you have any queries about this privacy notice or if you wish to exercise any of the rights mentioned in it.

The categories of personal information about you that we process

The personal information we process about you may include some or all of the following:

Contact Information

  • Name(s)
  • Address(es)
  • Email address(es)
  • Contact details including mobile telephone number(s)

Personal Information

  • Contact information (see above), as relevant
  • Date of birth
  • Gender
  • Next of kin or other dependants
  • Marital or relationship status
  • Lifestyle and social circumstances (for example if you join social groups or take part in organised activities which reveal this information)
  • Emergency contact information
  • Details of dependants (where required for employee benefits)

Identity and Background Information

  • Contact information (see above), as relevant
  • Details of education and qualifications and results
  • Career history
  • Passport information (this is relevant for all staff to determine their right to work in the UK)
  • Driving licence information (we collect this from those staff who drive significant business miles to ensure that they are entitled to drive; in addition we may collect this as evidence of identity)
  • Information relating to offences or suspected offences
  • Psychometric test results (for example in the context of promotions, applications from candidates for a job, and as part of input for senior development programmes)
  • Right to work, residency and/or other visa information
  • Curriculum Vitae (CV) or resume
  • The details of languages you speak
  • Image or photographs
  • Personal details contained in any application form from a candidate applying for a role at the Bank or in relation to promotion(s) internally
  • Evaluative notes and decisions from interviews of candidates or for promotion(s) internally
  • Preferences relating to job location and salary of candidates or for promotion(s) internally
  • Conflicts of interests (including where related to family networks)
  • Information revealed by criminal record checks, fraud checks, social media checks, credit reference agency checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks (in each case as relevant to your role/the role for which you have applied)

Financial Information

  • Contact information (see above), as relevant
  • Bank account details
  • Salary, compensation and other remuneration information
  • National insurance number and/or other governmental identification numbers
  • Tax codes
  • Business expense and reimbursement details
  • Company (Bank) stock options and purchase plans
  • Information revealed by credit reference agency checks

Sensitive Information and Information Relating To Offences Or Suspected Offences

  • Contact information (see above), as relevant
  • Racial or ethnic origin (including your nationality)
  • Political opinions or beliefs
  • Religious or philosophical beliefs
  • Biometric data (for example your image when it is captured on CCTV)
  • Physical and mental health information (including occupational health requirements, day-to-day health concerns which we might ought to be aware of (for example if you are diabetic or epileptic), dietary requirements, allergies and reasons for short term or long term absence)
  • Sexual orientation (for example if you are married or in a civil partnership or other relationship with a same sex partner and nominate him or her as your emergency contact)
  • Ethnic origin
  • Image or photographs (not limited to CCTV) which reveal racial or ethnic origin or religious beliefs
  • Health and safety and accident records and reports
  • Information revealed by criminal record checks (including details of unspent convictions), social media checks and fraud checks

Employment Administration Information

  • Contact information (see above) as relevant
  • Terms and conditions of employment
  • Work related contact details (including location and office and corporate phone numbers)
  • Image / photographs
  • Holiday and other leave related records
  • Your working preferences (for example in relation to flexible working) and feedback in relation to us (for example if we invite you to take part in employee/staff forums or steering groups)
  • Hours worked and working time preferences
  • Statutory and non-statutory leave and absence records
  • Job termination details

Job Performance Information

  • Contact information (see above), as relevant
  • Role responsibilities
  • Personal development reviews and appraisals, and associated feedback
  • Training records
  • Attendance information
  • Promotion application and/or outcome records
  • Transfer and secondment information
  • Performance evaluation checks / outcomes

Investigation, Grievance and Disciplinary

  • Contact information (see above), as relevant
  • Our investigation records
  • Grievance and disciplinary records
  • Employment tribunal records

Travel and Expenses Information

  • Contact information (see above), as relevant
  • Transaction records
  • Visa, passport and insurance details
  • Flight and accommodation booking information
  • Travel itinerary information

Benefits Information

  • Contact information (see above), as relevant
  • Information relating to any and all employee benefits programmes which we make available from time to time (for example private healthcare, employee assistance programme, childcare vouchers, cycle to work schemes, permanent health insurance/income protection schemes, life assurance and pensions memberships for you and/or your dependants or other beneficiaries)
  • Death benefit information
  • Season ticket loan records

Asset, Systems and Platform Usage and Communications Information

  • Contact information (see above), as relevant
  • Computer and phone use records, as relevant
  • Access logs and usage records from document management systems and other applications and technologies
  • User IDs and password information
  • IP addresses and device identifiers
  • Relevant records of calls, messages and/or internet or other data traffic and communications

Security, Location and Access Information and CCTV Related Information

  • Contact information (see above), as relevant
  • Information (including image and biometric data) captured or recorded by electronic card access systems, CCTV and other security control systems

Sources of this personal information

We may collect your personal information from you, for example when you give this to our HR department, input data into our HR portal, fill out our new starter form, call us or send us an email, or when you send us your CV. We will also collect your personal information directly from you day to day when you are working for us and when your image is captured on CCTV. In addition we may obtain it from other people and organisations, including some public sources, such as publically available directories and online resources, your emergency contacts, your use of Bank assets, systems and platforms, our security control systems and IT systems, your line manager and co-workers, your dependants and beneficiaries, third party benefits providers, your use of company (Bank) payment cards for spending on company business, recruitment agencies, employment agencies and recruitment consultants (if you are a temporary or agency worker or a candidate), and from other third parties where lawful to do so.

Updates to your personal information

It is your responsibility to ensure your personal information is up to date on our HR portal. If you encounter any problems updating your personal information you can contact HR by email: askhr@shawbrook.co.uk

Do you have to provide us with your personal information?

We cannot administer our employment or other relationship with you unless we have your personal information. Employment laws and other applicable laws and regulations (including the FCA's regulatory regime) mean we do have to collect information from you.

Where provision of personal information by you to us is optional, we will make this clear, for instance you do not have to provide us with ethnicity data and you can leave this form blank in all relevant data capture forms and on the HR portal if you wish.

What processing of personal information happens for checks and assessments to meet requirements and expectations for our regulatory regime?

As a regulated entity, the Bank is required to undertake checks on employees and other staff in roles to which key risks are associated and this means all of our employees and staff. These include criminal record checks, credit checks, fraud checks and (if you perform certain senior roles) social media checks. In addition, they include financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks, performance evaluation checks (in each case as relevant to your role/the role for which you have applied).

These checks happen only after candidates have been selected and issued with copies of employment contracts for signature. The Bank performs assessments using the outcomes of these checks (more details below). For "Material Risk Takers" we will undertake some of these checks on an annual basis and some of these checks on either a 3 year or 5 year cycle. All this is explained in more detail in the table below. If your role means you are a "Material Risk Taker", this will be set out in your contract of employment, from the start of your employment. If you become a "Material Risk Taker" during your employment, you will be informed that this is the case and the impact of this will be explained to you at that time.

Here is a table summarising the checks and assessments and how frequently they are performed. There are more details about some of these checks and assessments beneath the table. In addition, see our Fitness and Propriety Policy where some of this information is set out too.

"HR" means that it is either us or our external referencing company who will perform the activity.

Activity

By Whom

On Appointment

Frequency

Criminal Record Check (DBS) - more details below

HR

Yes

SMF/NNEDS: 3 Yrs

Cert Staff: 5 Yrs

CIFAS Internal Fraud Check - more details below

HR

Yes

SMF/NNEDS: 3 Yrs

Cert Staff: 5 Yrs

Financial Services Register Check - this is a check of the FCA Register to check that there have been no issues with their FCA registrations, if any

HR

Yes

Annually

Companies House Check - this is a check at Companies House to ensure the individual has not been disqualified/there have been no issues with companies for which the individual has been a director

HR

Yes

Annually

Social Media/Google Check - more details below

HR

Yes

Annually

Qualification Check - this is a standard reference check that will be undertaken for all staff on joining (it is not exclusively for Material Risk Takers)

HR

Yes

Appointment Only

Regulatory Reference - this is the format that references are required to be in for those individuals who hold a Senior Management function - which is set out in the FCA/PRA regulations

HR

Yes

Appointment Only

Performance Evaluation - these are our standard performance reviews that all staff will complete

Line Manager

No

Annually

Credit Check - more details below

HR

Yes

SMF/NNEDS: 3 Yrs

Cert Staff: 5 Yrs

What are criminal record checks?

DBS (Disclosure Barring Service) checks and Disclosure Scotland checks are performed for the Bank by third party agencies. In this way we can find out information about criminal records and unspent convictions (depending on whether a basic or enhanced check is performed). They involve us sharing your personal information with third party agencies who perform these checks for us.

If you live in England or Wales you can find out more here: https://www.gov.uk/government/organisations/disclosure-and-barring-service/about

If you live in Scotland you can find out more here: https://www.mygov.scot/organisations/disclosure-scotland/

What are credit reference checks?

CRA (credit reference agency) checks involve us sharing your personal information with the UK's CRAs. They also involve us sharing your personal information with third party agencies who perform these checks for us.

The CRAs will give us information about you including about your financial situation and financial history. CRAs will supply us with both public (including the electoral register) information and shared credit, financial situation and financial history information and fraud prevention information. We will use this information to assess your financial position, to verify the accuracy of the data you have provided to us, for checks and assessments under the SM&CR (Senior Manager and Certification Regime - you will know what this term means if it concerns you) and to meet our regulatory expectations in respect of financial crime and conduct risk management.

We are required to tell you that the identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail within the Credit Reference Agencies Information Document (CRAIN). The CRAIN can be found at:

Call Credit:

Equifax

Experian:

You have a right to apply to the CRAs for a copy of your file. The information they hold may not be the same and there is a small fee that you may need to pay to each agency.

Callcredit Limited

Post: Callcredit Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP.

Web Address: https://www.callcredit.co.uk/consumer-solutions/contact-us

Email: consumer@callcreditgroup.com

Phone: 0330 024 7574

Equifax Limited

Post: Equifax Ltd, Customer Service Centre PO Box 10036, Leicester, LE3 4FS.

Web Address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html

Email: www.equifax.co.uk/ask

Phone: 0333 321 4043 or 0800 014 2955

Experian Limited

Post: Experian, PO BOX 9000, Nottingham, NG80 7WF

Web Address: https://www.experian.co.uk/consumer/contact-us/index.html

Email: consumer.helpservice@uk.experian.com

Phone: 0344 481 0800 or 0800 013 8888

What are fraud checks?

The personal information we have collected from you will be shared with Fraud Prevention Agencies (including CIFAS) who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused employment or have your employment or other relationship with us terminated. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at the end of this privacy notice. These checks involve us sharing your personal information with third party agencies who perform these checks for us.

You can read the full notice from the Fraud Prevention Agency we use (this is CIFAS) on our website. Please go to https://www.shawbrook.co.uk/fair-processing-notice/

What are social media checks?

An Adverse Media check searches thousands of global news sources, including breaking news, current events, and relevant media dating back to the early 1900s. The search is conducted by using thousands of adverse keywords relating to crime, terror, fraud and other illicit activities. All articles are reviewed directly with the source to ensure the most accurate and up to date information. Searching breaking news articles, results can include an early warning on pending criminal and civil cases. We will formally do an adverse media search on a 3 yr/5yr basis (as mentioned in the table). In between times, a member of Shawbrook Bank HR staff will undertake a Google search as a Social Media Check. We will do this annually.

These checks involve us sharing your personal information with third party agencies who perform these checks for us. Social media checks are not relevant to all staff they relate only to individuals who perform senior manager roles which are subject to the SM&CR regime (you will know what this means if this relates to you).

Using and processing your personal information: the legal basis and purposes

We process your personal information for particular purposes in connection with your employment relationship with us, or your other relationship with us for your services, and for the management and administration of our business. Data protection laws require us to explain the legal grounds to justify this processing.

For some processing activities, as you will see from the lists below, we consider that more than one legal ground may be relevant. This is not the case where we rely on your consent - we will not seek your consent where we do not need it. However, this does not mean that alternative lawful reasons will not apply to justify our keeping of some personal information after you withdraw your consent. For example if you consent to something, then withdraw that consent, we will still retain your personal information if we have to do that to keep a record for our legal or regulatory compliance purposes. This is why in the lists below you will see the processing activities which we do based on your consent also mentioned in some other places.

Each lawful reason is in bold underlined text and in summary these are: contract, legitimate interests, compliance with legal obligations; protecting vital interests; and consent. Underneath each of these you will see additional headers which are also in bold text. We use these additional headers only to make things clearer for you. The lawful reasons themselves are in bold underlined text throughout.

  1. Processing that is necessary to perform the employment contract or other services contract that we have with you**:

    ** If you are an independent contractor with your own Limited company - this legal ground of the contract will not be relevant to you because the Bank's contract is with your company not you as an individual ‘data subject' for data protection law purposes.

    Recruitment and workforce planning

    1. Administering and complying with the contract of employment or other contract that we have with you;
    2. Administering the role that you perform for us;
    3. Keeping a record of your right to work in the UK (as relevant);
    4. For verification and vetting including criminal record checks, credit reference checks, social media checks and fraud checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks (in each case as relevant to your role/the role for which you have applied);

    General employment management and administration

    1. Communicating with you and providing you with information from time to time;
    2. Paying your salary, compensation and any other benefits pursuant to your contract;
    3. Administration of payroll and remuneration and contractual, non-contractual and voluntary benefits (for example, pensions, private health benefits, permanent health insurance and other benefits programmes);
    4. Managing absence records and sick leave entitlement and administer related payments;
    5. Determining whether any adjustments are necessary to enable you to carry out your role;
    6. Carrying out performance reviews;
    7. Allocating and assigning responsibilities as necessary for workload management purposes, and measuring staff utilisation;
    8. Administering, recording and analysing training and training records;
    9. Considering your continuous suitability for your role;
    10. Handling grievance and disciplinary matters, including investigating issues, considering appropriate resolution and mitigating actions and reviewing outcomes;
    11. For periodic assessments (as relevant) using outcomes of criminal record checks, credit reference checks, social media checks and fraud checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks, performance evaluation checks (in each case as relevant to your role/the role for which you have applied);

    Security and governance

    1. Monitoring the security of Bank's physical premises and systems, networks and applications;
    2. Ensuring compliance with Bank's policies and procedures;

    Legal and regulatory compliance and responsibilities which are also relevant to your contract

    1. Demonstrating and monitoring our ongoing compliance with legal and regulatory obligations and other governance obligations;
    2. Complying with obligations under the contract of employment or other services contract you have with the Bank;
    3. Conducting internal investigations with respect to legal compliance, suspected misuse of or the general security of Bank's assets and information such as fraud detection and prevention, including through the use of computer forensics;
    4. Responding to employment matters where permitted by applicable law, including grievances, arbitrations, negotiations;
    5. Observing your rights and the rights of other people in relation to the processing of your personal information;
    6. Preparing returns to regulators and relevant authorities including preparation of income tax, capital gains tax, capital acquisition tax and other revenue returns;

    Day to day business operations which are also relevant to your contract

    1. Facilitating the performance of your role and responsibilities and those of the people you work with;
    2. Administering your travel and accommodation arrangements;
    3. Supporting and maintaining our technology infrastructure; and
    4. Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business.
  2. Processing that is necessary for our own legitimate interests or those of third parties (such as members of the Shawbrook Group of companies) provided these are not overridden by your interests and fundamental rights and freedoms:

    Recruitment and workforce planning

    1. Administering and complying with the contract of employment or other contract that we have with you;
    2. Administering the role that you perform for us;
    3. Identifying and assessing the strategic business direction and resourcing needs, current employees and areas for development at the Bank and the Group;
    4. Promotion and succession planning;
    5. Analysing recruitment and retention objectives, processes and employee turnover rates;
    6. For verification and vetting including criminal record checks, credit reference checks, social media checks and fraud checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks (in each case as relevant to your role/the role for which you have applied);
    7. Developing, operating and collecting feedback on recruitment activities and selection processes;
    8. Administering your application for a job with us and considering your suitability for the relevant role;
    9. Obtaining, considering and verifying your employment references and employment history;
    10. Making a job offer to you;

    General employment management and administration

    1. Communicating with you and providing you with information from time to time;
    2. General staff administration, including workforce management, career progression, health and safety and facilities management;
    3. Administration of payroll and remuneration and contractual, non-contractual and voluntary benefits (for example, pensions, private health benefits, permanent health insurance and other benefits programmes);
    4. Managing annual leave entitlement and records, and to administer related payments;
    5. Managing absence records and sick leave entitlement and administer related payments;
    6. Administering our insurance policies;
    7. Preparing risk assessments to prevent future injuries in the workplace;
    8. Carrying out performance reviews;
    9. Allocating and assigning responsibilities as necessary for workload management purposes, and measuring staff utilisation;
    10. Administering, recording and analysing training and training records;
    11. Supporting the establishment and maintenance of staff directories;
    12. Considering your continuous suitability for your role;
    13. Handling grievance and disciplinary matters, including investigating issues, considering appropriate resolution and mitigating actions and reviewing outcomes;
    14. For periodic assessments (as relevant) using outcomes of criminal record checks, credit reference checks, social media checks and fraud checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks, performance evaluation checks (in each case as relevant to your role/the role for which you have applied);
    15. Setting up and administering business continuity cascades by telephone call (if you are an employee or other member of staff you will know what this means and if you are a candidate this is not relevant to you);

    Security and governance

    1. Monitoring the security of Bank's physical premises and systems, networks and applications (including for example by CCTV);
    2. Identifying and authenticating employees and other individuals;
    1. Establishing a network of emergency contacts for individuals in case of emergency;
    1. Preventing fraud and other crime;
    1. Ensuring compliance with Bank's policies and procedures;

    Legal and regulatory compliance and responsibilities which are also relevant to legitimate interests

    1. Demonstrating and monitoring our ongoing compliance with legal and regulatory obligations and other governance obligations;
    1. Conducting internal investigations with respect to legal compliance, suspected misuse of or the general security of Bank's assets and information such as fraud detection and prevention, including through the use of computer forensics;
    1. Conducting internal or external audits of the Bank's records and information, operations and legal compliance;
    1. For verification and vetting and for periodic assessments (as relevant) using outcomes of criminal record checks, credit reference checks, social media checks and fraud checks, financial services regulatory checks, companies house checks, qualification checks, regulatory reference checks, performance evaluation checks (in each case as relevant to your role/the role for which you have applied);

    Day to day business operations which are also relevant to legitimate interests

    1. Facilitating the performance of your role and responsibilities and those of the people you work with;
    1. Implementing, adapting and enhancing systems and processes to develop or improve our business and/or make your job easier or more enjoyable;
    1. Managing, planning and delivering our global business, sales and marketing strategies;
    1. Supporting our diversity programmes and staff support networks and initiatives;
    1. Administering your travel and accommodation arrangements;
    1. Publishing external facing materials for marketing and public relations purposes such as where we mention you in the context of the Bank's projects and initiatives in our marketing materials, social media posts and press releases;
    1. Supporting and maintaining our technology infrastructure;
    1. Managing access to personal information within the Bank's IT applications used to process personal information;
    1. Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business;
    1. For management and audit of our business operations, including accounting;
    1. When we monitor emails, calls and other communications and activities (see below for more information about this including why we do this and what systems/communications are monitored);
    1. To deal with our good governance requirements;
  3. Processing that is necessary to comply with our legal obligations:

    Recruitment and workforce planning

    1. Keeping a record of your right to work in the UK (as relevant);

    General employment management and administration

    1. Communicating with you and providing you with information from time to time;
    2. Calculating your entitlements to any statutory/contractual benefits;
    3. General staff administration, including workforce management, career progression, health and safety and facilities management;
    4. Administration of payroll and remuneration and contractual, non-contractual and voluntary benefits (for example, pensions, private health benefits, permanent health insurance and other benefits programmes);
    5. Managing absence records and sick leave entitlement and administer related payments;
    6. Managing maternity, paternity, adoption, parental and dependants leave and (where applicable) pay;
    7. Administering our insurance policies;
    8. Determining whether any adjustments are necessary to enable you to carry out your role;
    9. Preparing risk assessments to prevent future injuries in the workplace;
    10. Carrying out performance reviews;
    11. Administering, recording and analysing training and training records;
    12. Handling grievance and disciplinary matters, including investigating issues, considering appropriate resolution and mitigating actions and reviewing outcomes;

    Security and governance

    1. Monitoring the security of Bank's physical premises and systems, networks and applications;
    2. Preventing fraud and other crime;

    Legal and regulatory compliance and responsibilities

    1. For compliance with legal and regulatory obligations and other governance obligations;
    2. To carry out fraud checks and assessment of results;
    3. Compliance with obligations under the contract of employment or other services contract between you and the Bank;
    4. For establishment, defence and enforcement of our legal rights or those of any other member of our Group, including complying with disclosure orders arising in civil proceedings;
    5. Responding to binding requests from courts, governmental, regulatory and/or law enforcement bodies and authorities;
    6. For activities relating to the prevention, detection and investigation of crime;
    7. To process information about a crime or offence and proceedings related to that;
    8. When we monitor emails, calls and other communications and activities (see below for more information about this including why we do this and what systems/communications are monitored);
    9. Conducting internal investigations with respect to legal compliance, suspected misuse of or the general security of Bank's assets and information such as fraud detection and prevention, including through the use of computer forensics;
    10. Conducting internal or external audits of the Bank's records and information, operations and legal compliance;
    11. Responding to employment matters where required by applicable law, including grievances, arbitrations, negotiations;
    12. Observing your rights and the rights of other people in relation to the processing of your and/or their (as relevant) personal information; and
    1. Preparing returns to regulators and relevant authorities including preparation of income tax, capital gains tax, capital acquisition tax and other revenue returns;

    Day to day business operations

    1. Supporting our diversity programmes and staff support networks and initiatives;
    1. Managing access to personal information within the Bank's IT applications used to process personal information; and
    1. Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business.
  4. Processing that is necessary to protect your own vital interests (or those of someone else):
    1. Contacting the appropriate person in the event of an emergency concerning you;
    2. Establishing a network of emergency contacts for individuals in case of emergency; and
    3. Responding to binding requests from courts, governmental, regulatory and/or law enforcement bodies and authorities where your vital interests or another person's vital interests are at stake.
  5. Processing with your consent:
    1. When you request that we share your personal information with someone else and consent to that;
    2. Publishing external facing materials for marketing and public relations purposes such as where we mention you in the context of the Bank's projects and initiatives in our marketing materials, social media posts and press releases;
    3. Supporting our diversity programmes and staff support networks and initiatives;
    4. Observing your rights and the rights of other people in relation to the processing of your and/or their (as relevant) personal information; and
    5. For some of our processing of special categories of personal data such as about your health or disability access needs in cases where we need your consent such as where employment law (or other applicable law) does not make this lawful already.

How and when can you withdraw your consent and what are the consequences?

Much of what we do with your personal information is based on other legal grounds (see above). For processing that is based on your consent, you have the right to withdraw that consent for future processing at any time. You can contact our DPO for this (details as above).

The consequences might be that:

  • We might be unable to share your personal information with mortgagors, banks or other financial institutions to whom you have asked us to give your details, or future employers to whom you have asked us to supply a reference; please note that we cannot take back personal information if that has already been shared by the time you withdraw consent;
  • We might be unable to involve you in our diversity programmes and staff support networks and initiatives (where we rely on your consent in relation to this and if alternative lawful reasons do not apply in particular cases); and
  • We might not be able to involve you in the external facing materials mentioned above (where we rely on your consent in relation to this and if alternative lawful reasons do not apply in particular cases); please note that we cannot take back personal information such as your name and your photograph if that has already been used externally by the time you withdraw consent.

If you have consented to sharing of your personal information in the content of an access rights request under data protection laws by someone else - then withdraw your consent - please note we cannot take your personal information back from them.

As mentioned, if you consent to something, then withdraw that consent, we will still retain your personal information if we have to do that to keep a record for our legal or regulatory compliance purposes.

Sharing your personal information

We may share your personal information with the following parties (and our lawful reasons for this sharing are as indicated above):

  1. Other companies within the Shawbrook Group (further details below);
  2. Our legal and professional advisers, such as our auditors and external legal advisors in the event of, for example, sale or restructuring of our business;
  3. Third party service and administration companies, such as those that undertake the day to day servicing of our business on our behalf as part of an outsourcing arrangement;
  4. Other third parties and/or sub-contractors acting on our behalf, such as back up and server hosting providers, our IT software and maintenance providers;
  5. Recruitment agencies, employment agencies and recruitment consultants;
  6. Purchasers of any part of our business, and their professional representatives;
  7. Agencies who carry out credit reference checks, social media checks, criminal record checks and fraud checks for the Bank (and, in turn, Disclosure Scotland and Disclosure Barring Service in England & Wales, fraud prevention agencies and credit reference agencies will have your personal information), financial services regulatory checks, companies house checks, qualification checks, and regulatory reference checks (in each case as relevant to your role/the role for which you have applied);
  8. Law enforcement agencies such as the police (for example, police requests for CCTV and other personal information if we are satisfied each time that their request can be complied with based on legitimate interest (ours or theirs) or if they present us with a Court order);
  9. Regulatory bodies such as HMRC, the Financial Conduct Authority, the Prudential Regulation Authority, the Information Commissioner's Office and the police;
  10. Courts and as may otherwise be necessary in order to comply with a legal requirement, for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations; and
  11. Employment related benefits providers and other third parties in connection with your benefits (such as pension trustees).

International transfers

Your personal information may be transferred outside the UK and the European Economic Area. Whilst some countries already have adequate protections for personal information under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK.

For more information about what are those appropriate safeguards and how to obtain a copy of them or to find out where they have been made available you can contact our DPO (details as above).

Monitoring of communications

Subject to applicable laws, we will monitor and record calls, email, text messages on company smartphones, social media messages (you should note that our PR agency will do this monitoring on our behalf), the personal use of Bank systems and devices made by employees and other staff, and all other communications on Bank systems and devices. We will do this monitoring for compliance with regulatory rules, in particular, where we are required by the Financial Conduct Authority regulatory regime to record telephone lines we will do so. We will also do this monitoring for compliance with self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, and for quality control and staff training purposes. All of our telephone lines are recorded for these purposes. This is relevant to all our employees and other staff, including those in a customer facing role and in a back office role. In addition, where appropriate and having regard to applicable data protection law our monitoring will be to check for obscene or profane content in communications.

In very limited and controlled circumstances we may conduct short term carefully controlled monitoring of your activities where this is necessary for our legitimate interests or to comply with a legal obligation. We may do this for instance where we have reason to believe that fraud or other crime is being committed, where disciplinary offences are suspected and where the monitoring is proportionate to the type of the disciplinary offence, or where we suspect non-compliance with anti-money laundering regulations to which we are subject.

For how long is your personal information retained by us

We need to keep your personal information for as long as necessary to fulfil the purposes for which it was collected (and those purposes are as described above). This includes retaining it during the period of your employment or other services arrangement with us and then, after this ends, for as long as necessary in order to comply with our legal and regulatory requirements and in case of claims. This means we may keep some categories of personal information about you for longer than others.

The criteria we currently use to determine data retention periods for your personal information is set out below. You should note that the retention periods we mention may change from time to time. Always look at our Retention Policy for the most up to date information. It is incorporated by reference into this privacy notice. If you are a candidate you will not have access to our Retention Policy until you join but as you will see (below) the only retention period relevant to you if you are unsuccessful in your application is already described here. If you successful in your application you will have access to our Retention Policy as soon as you join us.

  • Retention in case of queries. If you are an employee or other member of staff we will retain it in case of queries from you (for instance, if you apply unsuccessfully for a promotion). We will keep this personal information as part of your HR record for the length of your employment or other services arrangement with us. We may have to keep it for a longer period (see directly below). If you are a candidate we will keep your personal information and this includes your CV for the length of the recruitment campaign and for 12 months after that (i.e. after we complete the application process relating to the role) in case of queries from you. We will only retain it after that if you are the successful candidate (this will be part of your employment records).
  • Retention in case of claims. We will retain certain of your personal information for the period in which you might legally bring claims against us. This means your personal information will usually be held by us for a period of just over 6 years after the end of the employment or other relationship with us. We may have to keep it for a longer period (see directly below).
  • Retention in accordance with legal and regulatory requirements. We will retain your personal information for longer than 6 years where we are required to do so by laws or regulations (e.g. some health and safety laws). Please refer to our Retention Policy for further details.
  • Other retention periods relevant to employee/staff records: Certain employee/staff related records have a different time frame to those set out above. Please refer to our Retention Policy for further details.
  • Retention of CCTV images. We apply a separate criteria to retention of these records, as follows. We retain CCTV images for 3 months and after that they will be erased because we will not need to retain them for the purposes listed (above).

In addition, any personal information contained in any work related correspondence (such as emails) or other records may be retained for longer periods dependant on the retention period of the file that your personal data is held.

If you have any questions or queries about the Bank's policy about periods for retention specifically in relation to your personal information you can contact our DPO (details as above).

Your rights under applicable data protection law

Your personal information is protected under data protection law and you have a number of rights which you can enforce against us as your data controller. You should be aware that these rights do not apply in all circumstances. If you seek to exercise one against us it will at that stage be explained to you whether or not the right does apply to you based on the facts. Your rights are as follows:

  • The right to be informed - including about our processing of your personal information. This is the reason for this privacy notice.
  • To have your personal informationcorrected if it is inaccurate and to have incomplete personal information completed in certain circumstances.
  • The right in some cases to object to processing of your personal information (as relevant). This right allows individuals in certain circumstances to object to processing based on legitimate interests, direct marketing and processing for purposes of statistics.
  • The right in some cases to restrict processing of your personal information, for instance where you contest it as being inaccurate (until the accuracy is verified); where you consider that the processing is unlawful and where this the case; and where you request that our use of it is restricted; or where we no longer need the personal information.
  • The right to have your personal information erased in certain circumstances (also known as the "right to be forgotten"). This right is not absolute - it applies only in particular circumstances and where it does not apply any request for erasure will be rejected. Circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, if the processing is based on consent which you then withdraw, when there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation. Requests for erasure will be refused where that is lawful and permitted under data protection law for instance where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims.
  • To request access to the personal information held about you and to obtain certain prescribed information about how we process it. This is more commonly known as submitting a "data subject access request".
  • To move, copy or transfer certain personal information. Also known as "data portability". You can do this where we are processing your personal information based on a consent or a contract and by automated means.
  • Rights in relation to automated decision making about you including profiling in cases where this has a legal or other significant effect on you as an individual . This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention. We mention this right for completeness only. We do not do this type of processing of your personal information at this time.

In addition, you have the right to complain to the Information Commissioner's Office (the ICO) which enforces data protection laws. You can visit its website for more information: https://ico.org.uk/

For more information about all of these rights and how to exercise them you can contact our DPO (details as above).

Data anonymisation and use of aggregated information

Your personal information may be converted into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. It might be used to conduct research and analysis, including to produce statistical research and reports. This aggregated data may be shared in several ways, including with our group companies and for the same reasons as your personal information (see above). For example, we might share aggregated data with bidders or purchasers when we are supporting the sale, transfer or merging of part or all of our business or assets. We will also share aggregated data with the relevant government agency and the statutory body which has powers to enforce gender pay reporting legislation. We have to do this because this legislation requires us to publish statutory calculations every year showing how large the pay gap is between our male and female employees.

Who is in the Shawbrook Group?

The companies currently in the Shawbrook Group are Shawbrook Bank Limited, Shawbrook International Limited, and Shawbrook Group PLC.

Last updated: April 2018.