Business Banking Privacy

We want you to know that TSB respects the information we hold on you and your business, and that we take the security of your information very seriously.

If you want to print our Business Banking Data Privacy Notice, please open the relevant section below, right click and select your printing option.

In addition to our Data Privacy Notice below, you can find out more about data protection in our handy frequently asked questions.

Our Data Privacy Notice

Your information will be held by TSB Bank plc ('TSB').

UK Data Protection Laws require us to manage all personal information in accordance with the Data Protection Principles. In particular, we are required to process your personal information fairly, lawfully and in a transparent manner. This means that you are entitled to know how we intend to use any information you provide. You can then decide whether you want to give it to us in order that we may provide the product or service that you require. All our employees are responsible for maintaining customer confidentiality. We provide training and education to all employees to remind them about their obligations. In addition, our policies and procedures are regularly audited and reviewed.

We are TSB Bank, 20 Gresham Street, London, EC2V 7JA.  

TSB is committed to providing a real alternative in business banking in Britain. We want you to have trust and confidence in us and how we deal with your business information, and the personal information we collect during our relationship.

When providing business banking services, we manage personal information. This includes information relating to product parties and business parties. This personal information is protected by the UK’s privacy laws. These privacy laws do not apply to information about Partnerships in Scotland, Limited Liability Partnerships or Limited Companies, but do apply to information relating to product parties, business parties or any other individual who we manage. We will, of course, treat your business information as private and confidential and make sure it is kept secure.

Some of the information we receive is known as ‘special category data’ or ‘criminal offence data’ and it’s considered more sensitive than some other personal data.  This is personal data: revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation or criminal offence data.  When processing this type of information extra care is needed and this is explained in our ‘Appropriate Policy Document’ which is available here.

We have a dedicated team that looks after data privacy rights. We also have a Data Protection Officer ("DPO") to guide our business and oversee our use of your personal information. Please see below for their contact information and for more information on how we manage your personal information.

Data Rights Team

Data Protection Officer

The Data Rights Team
TSB Bank
Ariel House
2138 Coventry Road
Sheldon
Birmingham
B26 3JW

You can also email: privacy@tsb.co.uk

The Data Protection Officer
TSB Bank
20 Gresham Street
London 
EC2V 7JA

When you apply for a product or service, and throughout our relationship, you will provide personal information to us, and we will gather certain personal information from other sources, some of which may be publicly available.

Whose data will we receive?

What type of data will we receive?

Who does the data come from?

Business parties, product parties

Data confirming their identity.

Data relating to their credit history and status of that or any associated person.

Data relating to any fraudulent activity or suspected fraudulent activity concerning business parties / product parties or any associated person.

Data relating to Politically Exposed Persons (PEPs).

 

You

Credit Reference and Fraud Agencies. Further information is set out below.

CIFAS, a not-for-profit fraud prevention membership organisation. For more information on CIFAS, go to www.cifas.org or write to: Consumer Affairs, CIFAS
6th Floor, Lynton House
7-12 Tavistock Square
London, WC1H 9LT.

Guarantors, deposit providers, and similar

Where a person guarantees to pay TSB any sums that you may owe, or provides a deposit (for example, when you take out a mortgage), we will record sufficient details to allow us to contact them if / when required.  Where they provide the deposit from their bank account, we will record the account details. 

You.

Employees and others associated with you

In some circumstances, you may provide us with employees’ details such as name, address and payroll number.   

You.

Providers of professional services

Business / trading name, address, contact details, internal reference, membership of professional bodies, levels of insurance (if any), identity of client and other information that is supplied to us for the professional services in question.

You, the person or entity which you are providing professional services, professional bodies and public sources.

We can’t open or maintain an account or service if you don’t give us certain information. For example, we will not be able to open an account unless you provide details about product parties and business parties.

We use personal information so that we can deliver the banking service that business wants in the 21st century. This includes using personal information so that we can:

Provide you and/or business parties and/or product parties with services.

This is necessary to comply with our contractual obligations to you under our Terms and Conditions.

Identify products and services which might be suitable for you and/or business parties and/ or product parties.

We need to do this to meet our legitimate business interests in providing our customers with products and services that they like. You are under no obligation to make use of these products or services.

Assess lending and insurance risks.

This is necessary for us to meet our legitimate interests in making sure we have an appropriate risk profile. Ensuring that we do not take excessive risks is in the public benefit, as we make sure your money is kept safe.

Recover debts, prevent, detect and prosecute fraud and other crimes.

This is necessary to meet our legitimate interests in exercising our rights and making sure that you and other customers are not subject to crime or fraudulent activity.

Manage our and any member of our Group's relationship with you and/or business parties and/or product parties.

We may need to do this to make sure we can meet our contractual obligations under our Terms and Conditions. It also lets us access your account details when you contact us.

Update our records about you and/or business parties and/or product parties.

This is necessary to meet our legitimate interests in keeping our records accurate and up to date, and to make sure that we do not use out of date information about you.

Improve our performance.

This includes testing new systems and checking upgrades to existing systems, training, undertaking transactional analysis, conducting audits, assessing lending and insurance risks. It also covers customer modelling, statistical and trend analysis with the aim of developing and improving products and services, and providing information to Regulators. We do this to meet our legitimate interests in giving our customers better services, and making sure commercial and personal information is appropriately protected.

To undertake consumer experience research, we may pass your contact details to our trusted third-party market research companies, who may contact you on our behalf to conduct surveys and provide us with the results of your customer experience. We will use this information to develop products, services and process improvements. You will be given the opportunity to opt-out of these.

Improve security and combat fraud.

We use biometric data analysis to combat fraudsters. When you use a Business debit card to purchase goods or services online we will ask you to enter your email address, as well as a One Time Password sent to your phone at the point of payment. Although we won’t store or check your email address we will analyse the unique way you type your email address and the One Time Password as part of our identity verification. So should anyone else try to use your Business debit card to make an online purchase, we’ll be alerted to it because of the way they enter your details. The legal basis for this is the substantial public interest of combatting fraud.

Send direct marketing and promotional material.

We will offer you, product parties and business parties, an opportunity to receive direct marketing and promotional information which we think may be of interest, by post, email, phone or SMS. We will only send marketing if you let us know you want to receive it.

We respect your choices, and product parties and business parties can ask us to stop sending marketing to them at any time by contacting our Data Rights Team. Or simply click 'unsubscribe' in any marketing email we send, or by following the instructions in our marketing SMS – and when this happens, we will stop.

We may ‘profile’ TSB customers to allow us to identify relevant opportunities to promote TSB services to our customers. This may include reviewing historic and current data about which account or services you hold, the way you operate your accounts, your account balances and the transactions on your TSB accounts. This could include analysis of individual payments in and out of your accounts.

The profiling we carry out will aim to ensure the marketing of our products and services is likely to be of interest to you. We’ll do this through TSB channels, such as our branches, websites, mobile apps, telephone service; or through non-TSB channels, such as social media, websites, radio or TV advertising.

The lawful basis for the profiling we do, and any tailored marketing through these channels, is our legitimate interests. This means we have a legitimate interest in carrying out these activities in order to promote our business and to help ensure that our customers only receive useful information which is likely to be of interest to them. You can object to this by contacting our Data Rights Team. This means you’ll see more general marketing, and the pages and ads may be less relevant to you; the number of advertisements will generally remain the same.

Social Media.

If product parties and/or business parties engage with TSB through social media, we may use this information to interact with them. We only use this information if you actively engage with or publish a post about TSB through social media, on the basis that it is in our legitimate interests to engage and interact with you when you discuss TSB and / or connect with us.

To deliver the best customer experience, we partner with software providers that allow us to connect with them via online communities and blogs. These partners manage personal information only in accordance with our instructions. Personal information will not be stored or transferred outside the European Economic Area (“EEA”) and/or United Kingdom TSB can instruct these partners to delete all personal information, or return it securely to TSB, at the end of our contract with them. Click here for a list of EEA members.

Do what you ask us to do.

If you want particular services from us, or want to ask us a question, we will use product parties and/or business parties personal information to answer you. This is to meet our legitimate interests in making sure we can give you the best possible service.

Comply with legal obligations.

This might include providing information to HMRC, preventing money laundering and doing what our Regulators require. We only do this where strictly necessary to comply with these legal obligations.

To deliver better banking for Britain.

This includes using personal information to make sure we manage and develop customer relations; assess the suitability of existing and proposed products for our customers; pass information to Credit Reference Agencies (as described below); conduct internal or external reviews of our performance and quality.

We also instruct our internal or external legal teams; detect and prevent fraud and liaise with police and other anti-fraud agencies; engage with and interact on social media; and make sure we manage TSB as effectively and efficiently as possible.

We use personal information in this way as it is in our business interests to do so, and it allows us to defend our rights, provide a better service to our customers and understand what our customers want from us. Whenever we use personal information, we will always make sure we work to protect personal data interests and rights. We will not use personal information for any purpose which is contrary to those set out above. We will keep data appropriately secure, and tell customers when we use it for a new purpose.

We treat personal information as private and confidential, but may disclose it outside TSB in some circumstances, to fulfil the purposes set out above (including sharing with partners with whom we provide services as described above). This may include sharing it with subcontractors, who will act only on our instructions or our behalf and will use your information only for the purposes set out above.

We will disclose information to others:

To meet our contractual obligations to you in accordance with the Terms and Conditions, including where:

  • Other product parties and/or business parties may be entitled to see your transactions
  • It is needed by other parties connected with your account (including guarantors)
  • We need to share information with other lenders who also hold a charge on your property

Where we must comply with legal obligations to which we are subject, including where:

  • HMRC or other authorities require it
  • The law, a regulatory body or the public interest requires it
  • It is required as part of our duty to protect your accounts - for example we are required to disclose your information to the UK Financial Services Compensation Service (FSCS) or it’s required by us or others to detect, investigate or prevent crime or fraud
  • Or where the person consents or asks us to. If they give their consent, they can withdraw it at any time and we'll stop disclosing the information in that way

Credit Reference Agencies

In order to process your application for a product or service, we will perform credit and identity checks with one or more credit reference agencies (“CRAs”). Where you take banking services from us, we may also make periodic searches at CRAs to manage your account with us. 

To do this, we will supply business and personal information relating to you, product parties and/or business parties to CRAs and they will give us information about you and these people. This will include information from your credit application and about your financial situation, and financial history, as well as that of the product parties and business parties. CRAs will supply us with public (including the electoral register) and shared credit, financial situation and financial history information as well as fraud prevention information. 

We will use this information to:

  • Consider your creditworthiness and whether you can afford to take the product
  • Verify the accuracy of the data you have provided to us
  • Prevent criminal activity, fraud and money laundering
  • Manage your account(s)
  • Trace and recover debts
  • Make sure any offers are appropriate to your circumstances   

We will continue to exchange information with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. 

When CRAs receive a search from us they will place a search footprint on your credit file and that of the product parties and business parties.  These footprints may be seen by other lenders. 

If you tell us that you have a spouse or financial associate, we will link your records together. You should make sure you discuss this with them, and share this information, before making the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your spouse, or financial associate successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and data protection rights with the CRAs are explained in more detail at www.experian.co.uk/crain. CRAIN is also accessible from each of the CRAs that TSB uses – clicking on any of these links will also take you to the same CRAIN document:

TransUnion www.transunion.co.uk/crain

Experian www.experian.co.uk/crain

Fraud Prevention Agencies

The government also requires us to screen applications that are made to us, to make sure we are complying with the international fight against terrorism, money laundering, modern slavery and other criminal activities. So we may need to disclose information to government bodies and to fraud prevention agencies to meet these legal obligations.

We will study patterns of activity, check for unusual transactions and monitor devices used to access TSB’s systems. Including Internet Protocol (IP) addresses and may include using widely available geographical mobile phone or other technology to assess the location where you or any devices may be located.

General 

Before we provide services, goods or financing to your business, we undertake checks for the purposes of preventing fraud and money laundering, and to verify the identity of the business, product parties and business parties. These checks require us to process personal data about these people.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details of product parties and business parties.

We and fraud prevention agencies may also enable law enforcement agencies to access and use this personal data to detect, investigate and prevent crime.

We process this personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

Fraud prevention agencies can hold this personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Consequences of processing 

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing that has been requested, or we may stop providing existing services to you or your business.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you or the business. If you have any questions about this, please contact us on the details above.

Data transfers  

Whenever fraud prevention agencies transfer personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

If we or any other company in our Group wishes to sell or transfer all or part of its business and assets, or any associated rights or interests, or to acquire a business or enter into a merger, we/it may disclose your personal data and confidential business information to any potential buyer, transferee, merger partner or seller and its advisers and any other persons we/it may reasonably decide, provided that each person to whom information is disclosed promises to keep it confidential. If the sale or transfer is completed, the buyer, transferee or merger partner may continue to use and disclose the information, subject to the same provisions set out here.

Data-sharing with our parent company

TSB Bank plc is owned by Banco de Sabadell.  In order for Banco de Sabadell and/or TSB to comply with its legal obligation(s) to report to European capital risk supervisory regulators and/or UK regulators or because it is in our legitimate interests to do so, we will share personal data with Banco de Sabadell in their capacity as a data controller or processor, for that purpose. The data shared will be within the EEA* and is therefore protected to a similar standard to when it is in the UK.

You have the same rights with regards to Banco de Sabadell’s processing as you do when TSB is processing/using your personal data these rights are explained in section 6 below. Should you wish to exercise rights in relation to our parent company’s processing, please contact Banco de Sabadell’s dedicated data rights team at: Derechos PD, a través de su domicilio, Alicante (03007), Avda. Óscar Esplá nº 37, 03007, Alicante, Spain or by email: ejercicioderechosprotecdatos@bancsabadell.com.

The personal data shared will generally be held for up to six years depending on the reporting required.  For example, where the data is used to identify if customers have more than one holding across the Group to meet regulatory requirements or enable reporting to the EU and UK regulators, non-matched data will be retained by Banco de Sabadell for three months and matched data for six years.

If you have a problem with accessing your information or you are concerned about the way Banco de Sabadell has handled your information then, in addition to complaining to the ICO, you can also complain to the Spanish data protection regulator: Agencia Española de Protección de Datos (“AEPD”): www.aepd.es.

Should you require access to your information directly from Banco de Sabadell, please contact their Data Rights Team: Derechos PD, a través de su domicilio, Alicante (03007), Avda. Óscar Esplá nº 37, 03007, Alicante, Spain or by email: ejercicioderechosprotecdatos@bancsabadell.com. Further information about Banco de Sabadell’s processing can be found in their general customer information notice here.

And their Data Privacy Notice which is available here:

DPN

* Countries that belong to the EEA: Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

The UK and other EEA countries provide a high standard of data protection and privacy. We may run your accounts and provide other services from centres outside the UK and EEA, which are not considered by the European Commission to have a similar standard of legal protection for personal information. If so, we will require personal information to be protected to at least UK standards.

To do this, we make sure we only transfer personal information to countries which are regarded under EU law as providing an adequate level of protection for personal information, to companies in the USA which are certified as providing an adequate level of protection, or we will put in place contractual commitments which make sure they provide an adequate level of protection.

If you want to learn more about the specific countries to which we transfer personal data, or if you wish to obtain a copy of the safeguards we have in place for particular countries, please contact the Data Rights Team.

We may process payments through other financial institutions such as banks and the worldwide payments system operated by the SWIFT organisation if, for example, you make a CHAPS payment or a foreign payment. Those external organisations may process and store personal information abroad and may have to disclose it to foreign authorities to help them in their fight against crime and terrorism. If these are based outside the UK and the European Economic Area (“EEA”), such personal information may not be protected to standards similar to those in the UK, but we will take steps, including through contractual commitments, to make sure that an adequate level of protection is provided. Click here for a list of EEA countries.

We will only keep personal information for as long as your application for an account or product, or for as long as you have accounts or products with us. We will also keep your personal information for a certain period after your application has ended or you have closed your accounts.

When working out how long this period will last, we take into account our legal obligations, the expectations of financial and data protection regulators, and the amount of time we may strictly need to hold your personal information to carry on our business or defend our rights. For example, if you have an account with TSB, we will keep your information and details of the account, while the account is open. To meet our legal and regulatory requirements, we must keep a lot of this information for a number of years after the account is closed, even if you do not have another account with us. We will also keep your information in archived form in order to defend our legal rights (which may be for the period in which legal claims can be made under applicable law. In the UK, this is six years for contractual claims). We have policies and procedures in place to make sure we delete information that is no longer needed for any of these purposes.

If we are not able to completely delete, destroy or anonymise your personal information within these times because, for example, there are inter-dependencies between IT systems, we will limit access to your personal information or put it beyond use wherever possible.

People in the UK and across the EEA have certain rights over their personal information. These include the right to get a copy of their personal information or have some elements of it transmitted to themselves or another company in a common electric format. In certain circumstances, they can have their personal information corrected or erased, or have our use of their personal information restricted.  

They also have the right to object to our uses of their personal information as described above. 

Anyone who wishes to know more about their data rights should read our Data Privacy Notice, which can be found at: www.tsb.co.uk/privacy. They can also collect a copy at any TSB branch. We will generally not charge a person for exercising these rights. 

We aim to work with you in relation to any request, complaint or question you have about your personal information. However, if you believe we have not adequately resolved a matter, you can complain to the Information Commissioner's Officer (the "ICO"). 

You have a right, at any time, to complain to the ICO, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. You can follow this link to their website: www.ico.org.uk or ask for details from our Data Rights Team.

Appendix
Special Category Data
Appropriate Policy Document
Processing of special categories of personal data and criminal offence data 

As part of TSB’s functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’). 

Special category data 
Special category data is defined at Article 9 GDPR as personal data revealing: 
  • Racial or ethnic origin; 
  • Political opinions; 
  • Religious or philosophical beliefs; 
  • Trade union membership; 
  • Genetic data; 
  • Biometric data for the purpose of uniquely identifying a natural person; 
  • Data concerning health; or 
  • Data concerning a natural person’s sex life or sexual orientation. 
Criminal offence data 

Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’. For the avoidance of doubt criminal offence data is not in itself special category data. 

This policy document 

Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document (‘APD’) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. 

This document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018. 

In addition it provides some further information about our processing of special category and criminal offence data where a policy document isn’t a specific requirement. The information supplements our privacy notice and staff privacy notice.  

Conditions for processing special category and criminal offence data 

We process special categories of personal data under the following GDPR Articles: 

i. Article 9(2)(a) – explicit consent 

In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing. 

Examples of our processing include staff dietary requirements and health information we receive from our customers who require a reasonable adjustment to access our services. 

ii. Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on TSB or the data subject in connection with employment, social security or social protection. 

Examples of our processing include staff sickness absences and checking if individuals are entitled to work in the UK. 

iii. Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. 

Examples of our processing include where an individual needs emergency medical services but is unconscious or otherwise incapable of giving consent.  

iv. Article 9(2)(f) – if processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. 

Examples of our processing include processing relating to litigation in relation to collection and recoveries. 

v. Article 9(2)(g) – for reasons of substantial public interest. 

Examples of our processing include the information we seek or receive as part of investigating fraud. 

We process criminal offence data under Article 10 of the GDPR. 

Examples of our processing of criminal offence data include pre-employment checks and declarations by an employee in line with contractual obligations. 

Processing which requires an Appropriate Policy Document 

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an Appropriate Policy Document (see Schedule 1 paragraphs 1 and 5). 

This section of the policy is the Appropriate Policy Document for TSB. It demonstrates that the processing of special category and criminal offence (‘CO’) data based on these specific Schedule 1 conditions is compliant with the requirements of the GDPR Article 5 principles. In particular, it outlines our retention policies with respect to this data. 

Description of data processed 

We process the special category data about our employees that is necessary to fulfil our obligations as an employer. This includes information about their health and wellbeing, ethnicity, photographs and their membership of any trade union. Further information about this processing can be found in our staff privacy notice. 

Our processing for reasons of substantial public interest relates to the public good, or what is in the best interests of society. This includes ensuring equality or preventing fraud. Further information about this processing can be found in our privacy notice.   

We also maintain a record of our processing activities in accordance with Article 30 of the GDPR. 

Schedule 1 conditions for processing 

We process Special Category Data for the following purposes in Part 1 of Schedule 1: 

Paragraph 1(1) employment, social security and social protection. 

We process special category data for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context: 

  • Paragraph 8(1) equality of opportunity or treatment 
  • Paragraph 9(1) racial and ethnic diversity at senior levels 
  • Paragraph 10(1) preventing or detecting unlawful acts 
  • Paragraph 11(1) and (2) protecting the public against dishonesty 
  • Paragraph 12(1) and (2) regulatory requirements relating to unlawful acts and dishonesty 
  • Paragraph 14(1) and (2) preventing Fraud 
  • Paragraph 15(a) and (b) suspicion of terrorist financing or money laundering 
  • Paragraphs 18(1) to (4) safeguarding children and individuals at risk 
  • Paragraph 19(1), (2) and (3) safeguarding of economic well-being of certain individuals 
  • Paragraphs 20(1) to (7) insurance 
  • Paragraphs 21(1) to (4) occupational pensions 
  • Paragraph 24(1) and (2) disclosure to elected representatives 
Criminal offence data 
We process criminal offence data for the following purposes in parts 1 and 2 of Schedule 1: 
Paragraph 1 – employment, social security and social protection 
Procedures for ensuring compliance with the principles 
Accountability principle 
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include: 
  • The appointment of a Data Protection Officer who reports directly to our highest management level; 
  • Taking a ‘data protection by design and default’ approach to our activities; 
  • Maintaining documentation of our processing activities; 
  • Adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors; 
  • Implementing appropriate security measures in relation to the personal data we process; 
  • Carrying out data protection impact assessments for our high risk processing. 
We regularly review our accountability measures and update or amend them when required. 
Principle (a): lawfulness, fairness and transparency 

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1. 

We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice, staff privacy notice and this policy document. 

Our processing for reasons of substantial public interest relates to the public good, or what is in the best interests of society. This includes ensuring equality or preventing fraud. Further information about this processing can be found in our privacy notice.   

Our processing for the purposes of employment relates to our obligations as an employer. 

Principle (b): purpose limitation 

We process personal data for purposes of substantial public interest as explained above where it is necessary for complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, to protect the public from dishonesty, preventing or detecting unlawful acts or for disclosure to elected representatives. 

We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose. 

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose. 

We will not process personal data for purposes incompatible with the original purpose it was collected for. 

Principle (c): data minimisation 

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it. 

Principle (d): accuracy 

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision. 

Principle (e): storage limitation 

All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our retention schedule. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary. 

Principle (f): integrity and confidentiality (security) 

Electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures. 

Our electronic systems and physical storage have appropriate access controls applied. 

The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate. 

Retention and erasure policies 
Our retention and erasure practices are set out in our retention schedule. 
Appropriate Policy Document review date 

This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases. 

This policy will be reviewed annually or revised more frequently if necessary. 

Additional special category processing 

We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice and staff privacy notice. 

Last updated October 2022