1. Purpose
The purpose of the Data Protection Policy is to set out the British Business Bank’s (the “Bank”) requirements to enable compliance with data protection legislation.
1.1 Personal Data
Personal Data is defined in the Data Protection Act 2018 (DPA) as “any information relating to an identified or identifiable living individual”. An identifiable living individual is “a living individual who can be identified, directly or indirectly, in particular by reference to:
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal Data includes Special Category Data and Pseudonymised Personal Data but excludes anonymous data or data where information which could identify an individual has been permanently removed.
1.2 Special Category Data and Criminal Offence Data
Under the DPA, there are additional safeguards to be applied when dealing with Special Category Data and Criminal Offence data.
The full list of definitions used in this Policy is available at Section 8.
1.3 Legal & Regulatory Obligations
The applicable laws include the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and related legislation
In addition to meeting its legal obligations, the Bank as an Arm’s Length Body is required to meet the Government Functional Standards where applicable. Obligations relating to Government Functional Standard (GFS005) – Digital, Data and Technology and GFS007 – Security activity elements are contained and prescribed through this policy and associated standards.
1.4 Alignment to Risk Appetite
This Policy sits under the Level One Risk category, Operational and Resilience Risk. It aligns to the Level Two Risk Category, Information Management, which is defined as ‘The risk of failing to treat information as a strategic asset, appropriately manage and maintain the organisation’s information across its lifecycle to support its necessary use, resilience, integrity and availability.’
The Bank has a Medium appetite for Information Management Risk, acknowledging the Bank continues to mature its system infrastructure to support delivery of its strategic objectives. The Bank does however have a low tolerance for failure to meet our legal and regulatory obligations or failure to adequately protect the information rights of individuals.
The correct handling of Personal Data is crucial for achieving the Bank’s strategic objectives while complying with its legal and regulatory obligations. This Policy is supported by standards (see Section 6) that describe the Bank’s minimum expectations when handling Personal Data.
2. Scope
This Policy applies to all Bank entities, operations and subsidiaries, and Colleagues. It does not form part of any Colleague’s contract of employment and we may amend it at any time.
This Policy applies to all Personal Data the Bank processes regardless of where the data is stored, its age, format, or whether it relates to past or present Colleagues, workers, customers, or contacts at suppliers or delivery partners, shareholders, website users or any other Data Subject.
3. Requirements
3.1 Data Protection Principles
The data protection principles are key to data protection law and determine that Personal Data shall be:
- Processed fairly, transparently and lawfully
- Processed only for specified and not incompatible purposes
- Adequate, relevant and necessary for the purpose
- Accurate and, where necessary, kept up-to-date
- Not kept longer than necessary for the purpose
- Kept secure by technical/organisational means
The law also requires that the Controller shall be responsible for, and be able to demonstrate compliance with, the above principles.
3.2 Accountability
Data protection accountability relies on good record keeping, so that the Bank can evidence or reflect on its actions and decisions and demonstrate compliance with the law.
The Bank is obligated to take responsibility for its handling of Personal Data and demonstrate the steps it has taken to protect people’s rights results in better legal compliance.
It provides an opportunity for the Bank to show how it respects people’s privacy and helps us sustain the Bank’s reputation and evidence it has actively considered the risks and put in place measures and safeguards. This will support the Bank to provide mitigation against any potential enforcement action.
The Bank must:
- Register the British Business Bank plc (and any relevant subsidiaries) as a Controller with the Information Commissioner’s Office for inclusion on the Register of fee payers.
- Appoint a Data Protection Officer and register their name, contact details and address with the Information Commissioner’s Office.
- Have in place appropriate technical and organisational measures as required as a Controller. These measures include standards setting out in detail how the Bank will meet its accountability obligations. See section 6.
3.3 Special Category and Criminal Offence Data
In line with the first data protection principle for processing data lawfully, where Personal Data is Special Category Data or Criminal Offence Data there is a requirement for additional conditions under UK GDPR Article 9 to be met.
The Bank will disclose special category and criminal offence data in appropriate circumstances and in connection with Schedule 1 condition for processing as set out in Annex 1.
The Data Protection Act also requires an Appropriate Policy Document to be in place. Where we rely on the substantial public interest condition in Article 9(2)(g) of the UK GDPR, we also need to meet one of the 23 substantial public interest conditions set out in Part 2 of Schedule 1 of the Data Protection Act, many of which require an Appropriate Policy Document. This section of this policy is the Bank’s Appropriate Policy Document.
This section describes what data are processed, explains the procedures that are in place to comply with the data protection principles, and confirms what retention and erasure policies are in place. Annex 1 confirms what Schedule 1 conditions are used.
3.3.1 Description of the data processed
The Bank processes Personal Data about businesses and companies, which includes sole traders, representatives and associates and directors, as well as Personal Data about our past, present and prospective delivery partners, suppliers, contractors, interns, Colleagues and non-executive directors, complainants and requesters (for information).
The Personal Data processed depends on the business activity and our relationship with the Data Subject, but may include name, address, contact details, bank accounts, payment details, background checks. There can also be Criminal Offence Data and Special Category Data including racial and ethnicity data, sexual orientation, religious and philosophical beliefs, and health data.
3.3.2 Procedures for ensuring compliance with the principles
This Policy sets out our approach to handling Personal Data, which also applies to our processing of Special Category Data and Criminal Offence Data, and how we intend to comply with the data protection principles
3.3.2 Retention and erasure
The Records Management Standard and accompanying Record Retention Schedule sets out our approach to the retention and disposal of Information and Data, which also covers Special Category and Criminal Offence Data.
4. Roles and Responsibilities
4.1 All colleagues
Data Protection is everyone’s responsibility. All colleagues are required to adhere to this policy and related Standards to help comply with data protection law and to enable the Bank to meet its data protection obligations. The Data Protection Officer has special additional responsibilities with regard to Personal Data. There are other roles that exist in the organisation to support the proper use of personal data these include:
- Senior Information Risk Owner
- Information Asset Owners
- Information Asset Administrators
- Data Owners
- Data Stewards
Please refer to the Information and Data Governance policy for a full list of responsibilities for these roles.
4.2 Data Protection Officer
The Bank is required to appoint a Data Protection Officer (DPO) to help the Bank fulfil its data protection obligations by:
- Informing and advising on data protection obligations
- Monitoring compliance with data protection laws
- Raising awareness and providing data protection training
- Advising on Data Protection Impact Assessments, which is the process of ensuring that appropriate and proportionate safeguards are in place in all uses of personal data.
- Liaising with the Information Commissioner’s Office in relation to data-related complaints
- Reporting any reportable breaches of data protection law and regulations to the Information Commissioner’s Office
- Ensuring data protection risks are managed appropriately.
The Data Protection Officer is not liable for the Bank’s compliance with its data protection obligations; the Bank remains accountable for complying with data protection obligations regardless of whether the Data Protection Officer is an employee or a contracted third party.
5. Non-Compliance
This Policy sets out what we expect from all Colleagues and parties identified in 2. Scope of this policy to ensure the Bank complies with applicable laws and regulations.
All identified breaches of this policy must be reported via the Risk Incident Portal on the Bank’s Intranet. Breaches will be assessed by the Policy Owner to determine the further action required and may include disciplinary action in accordance with the Bank’s Disciplinary Policy.
The Bank’s failure to comply with data protection law, either deliberately or accidentally, can have significant consequences for the Data Subjects whose data has been processed and to the organisations that processed the Personal Data. Data Subjects have the right to receive compensation (GDPR Article 82), and the UK’s Supervisory Authority (Information Commissioner’s Office) has enforcement powers that include issuing monetary fines up to £17.5 million or 4% of an organisation’s annual turnover (GDPR Article 83) for infringements of certain provisions in the law.
The Bank will take any necessary actions via our internal procedures. The Bank will cooperate with the relevant external regulators and law enforcement agencies as required.
The Data Protection Officer will monitor compliance with this policy.
6. Aligned Standards and Procedures
Personal Data is processed in a large number of business activities and therefore features in the majority of business processes, policies, standards and procedures. The following standards are under this Policy:
- Data Protection by Design Standard
- Data Protection Rights Standard
- Personal Data Sharing Standard
- Direct Marketing and PECR Standard
Related documents:
- [Information and Data Governance Policy] (and accompanying standards)
- Data Management Policy (and accompanying standards)
- Supplier Management Policy, Procurement and Contracting Standards
- Business Resilience Policy
- Risk Incident Review Reporting Procedure
- Information Security Policy
- IT Acceptable Use Policy
7. Policy Controls
A key control or a combination of controls which manages the inherent exposure of a risk to an accepted residual level and within the defined risk appetite. The key controls relevant to this policy are contained in the table below.
| Control Reference | Control Title | Control Description | Control Objective |
|---|---|---|---|
| C_LIB_IM_01_10 | Compliance with Privacy Electronic Communication Regulation (PECR) | The Data and Information Governance Team monitors compliance with PECR requirements and reports compliance issues to the ERC, BRC and Board and notifies the Information Commissioner’s Office in line with requirements | 1.1. To promote effective governance and accountability over data and information assets and minimize financial and reputational damage to the Bank through misuse of data / information assets and non-compliance with legal and regulatory obligations |
| C_LIB_IM_01_11 | Compliance with UK General Data Protection Regulation (UK GDPR) | The Data and Information Governance Team monitors compliance with UK GDPR requirements and reports compliance issues to the ERC, BRC and Board and notifies the Information Commissioner’s Office in line with requirements | 1.1. To promote effective governance and accountability over data and information assets and minimize financial and reputational damage to the Bank through misuse of data / information assets and non-compliance with legal and regulatory obligations |
| C_LIB_IM_02_3 | Due diligence questionnaire (DDQ) template | Procurement issues the DDQ template to the preferred/selected supplier which covers off data protection, business resilience and InfoSec concerns. | 2.1. To promote effective governance, accountability and oversight of the Bank's system / enterprise architecture to ensure solutions are designed and delivered to meet the business requirements and provide the expected business value |
| C_LIB_IM_02_4 | Data Protection Impact Assessments | Information Asset Owners ensure a data protection impact assessment (DPIAs) at the start of a new process/ projects to identify whether Personal Data is involved and to minimise any risk to the rights and freedoms of data subjects. These DPIAs are subject to annual review. | 2.1. To promote effective governance, accountability and oversight of the Bank's system / enterprise architecture to ensure solutions are designed and delivered to meet the business requirements and provide the expected business value |
| C_LIB_IM_02_5 | Data Protection by Design | The Data Protection by Design Standard which defines the baseline controls that must be in place for any new software or IT system, application, and website or similar that processes Personal Data, including appropriate access rights and permissions. | 2.1. To promote effective governance, accountability and oversight of the Bank's system / enterprise architecture to ensure solutions are designed and delivered to meet the business requirements and provide the expected business value |
| C_LIB_IM_03_5 | Register of Personal Data Processing | The Register of Personal Data Processing Activities (ROPA) provides a complete record of personal assets held by the Bank and how they are used under the responsibility of Information Asset Owners. Information Asset Administrators maintain entries in the ROPA by listing the processes that involve Personal Data and updating the ROPA as processes change e.g. as new Data Protection Impact Assessments are completed | 3.1. To promote effective governance and accountability over the accuracy, reliability and quality of data elements and to ensure data is regularly validated prior to transmission in accordance with data management policies and standards |
| C_LIB_IM_04_2 | Mandatory data protection training | Annual mandatory training for all employees on data protection and information security. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_04_3 | Data Protection Officer | The Bank has a Data Protection Officer in place who provides expert knowledge and advice on data protection and fulfils the duties as required by UK GDPR and Data Protection Act 2018. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_04_4 | Privacy Notice | Data subjects are notified of data processing activities and their data subject rights via the relevant Privacy Notice. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_04_5 | Consent evidenced | Information Asset Owners responsible for relevant Personal Data processing have processes in place to obtain proof that consent was received from individuals before collecting and processing their data. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_04_7 | Data Subject Rights | Clearly designed, implemented and documented process in place to comply with data subject access requests by individuals and third parties and respond within one month of receipt of the request. All data subject access requests are responded to within statutory requirements and timeframes. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_04_8 | Third party due diligence | Data protection and security due diligence is performed on third party suppliers that process Personal Data on behalf of the Bank. | 4.1. To ensure that data is processed, stored, retained and destroyed in line with legal obligations and where incidents /breaches occur, prompt action is taken including notification to the relevant legal body to minimize any financial and reputational damage to the Bank |
| C_LIB_IM_06_1 | Data Sharing | Data sharing agreements are in place to facilitate sharing Personal Data with external third parties. | 6.1. To ensure the Bank's data sharing requirements are communicated and understood by third parties and breaches are corrected in a timely manner to minimize financial loss and reputational damage for the Bank |
| C_LIB_IM_06_3 | Incident and Breach Management | Information Asset Owners ensure there is a process in place in their area to ensure any potential data protection breach is reported via the Risk Incident Portal without delay for assessment and consideration and where necessary for reporting to the Information Commissioner’s Office within 72 hours. | 6.1. To ensure the Bank's data sharing requirements are communicated and understood by third parties and breaches are corrected in a timely manner to minimize financial loss and reputational damage for the Bank |
8. Definition of Terms
Anonymisation
The process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified.
Colleague
Individuals working at or for the Bank including employees, temporary staff, contractors, consultants, interns and anyone else who may access and use Bank information for the Bank’s purposes. This includes third parties that manage and process information on the Bank’s behalf when carrying out the Bank’s functions.
Consent
Agreement, which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.
Controller
The person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. The Bank is the Controller of all Personal Data relating to Bank Colleagues and Personal Data used in the Bank's business for the Bank's own commercial purposes.
Criminal Offence Data
Defined in Article 10 of the UK GDPR and section 11(2) of the Data Protection Act 2018 as data about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings. Collectively referred to as Criminal Offence Data.
Data Protection Act (DPA)
Data Protection Act 2018 - The UK implemented the DPA to give effect to and supplement the General Data Protection Regulation.
Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment - Tools and assessments used to identify and reduce risks of a data processing activity. DPIAs can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
Data Protection Officer (DPO)
Data Protection Officer, see the Information and Data Governance Policy for description of this role.
Data Subject
A living identified or identifiable individual about whom the Bank holds Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Joint Controller
Multiple persons or organisations that determine when, why and how to process Personal Data. They are responsible for establishing practices and policies in line with the UK GDPR. The Bank is the Controller of all Personal Data relating to Bank Colleagues and Personal Data used in Bank business for the Bank’s own commercial purposes. A Joint Controller relationship may occur when Personal Data is used by another party e.g. SUL Finance Partners are a joint data controller with the Bank.
Privacy and Electronic Communication Regulation 2003 (PECR)
The Privacy and Electronic Communications (EC Directive) Regulations 2003 which covers electronic direct marketing messages and related website cookies.
Personal Data Breach
Any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that the Bank or the Bank’s third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design
Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Notices (also referred to as Fair Processing Notices)
Separate notices setting out information that may be provided to Data Subjects when the BBB collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.
Processing or Process
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Processor
A processor is an entity or individual that processes personal data in accordance with a data controller’s written instructions.
Pseudonymisation or Pseudonymised
Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Record of Processing Activity (ROPA)
This document details all activities where the Bank processes Personal Data. This includes where the Personal Data comes from, the lawful basis for processing, who this data is shared with and where it is stored.
Restricted Transfers
International transfers of Personal Data to countries not deemed to have adequacy with UK GDPR.
The Information Commissioner has deemed it safe to process Personal Data in the following countries:
EU Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and
European Economic Area (EEA) states: Iceland, Norway and Liechtenstein.
Additional countries with adequacy arrangements: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay,
Please note this list may change, so for the most up to date list see the Information Commissioner’s Office website at international data transfers | ICO
Special Category Data
Defined in Article 9(1) of the GDPR and section 35(8) of the Data Protection Act 2018 as information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
UK GDPR
Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 retain the EU GDPR after the Brexit transition and create UK GDPR that will sit alongside an amended version of the Data Protection Act 2018. The key principles, rights and obligations will remain the same, but there are implications for the rules on transfers of personal data between the UK and the EEA
9. Further Information
For further information about data protection, see Information Governance.
If you have any data protection queries or concerns, you can contact the Data Protection Officer at [email protected]
Annex 1: Data Protection Act Schedule 1 conditions for processing
| DPA 2018 Schedule 1 | Description of condition | Data likely to be processed | Processing Activities |
|---|---|---|---|
| 1. Employment, social security and social protection | Processing necessary in connection with the laws of employment, social security and social protection. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation | Assess eligibility for services or benefits Assess employee health and wellbeing Equalities and equal opportunities |
| 6. Statutory and government purposes | Processing necessary in connection with the laws relating to health and safety at work. | Health | Report and investigate accidents and incidents at the workplace |
| 7. Administration of justice and parliamentary purposes | Processing necessary for the administration of justice. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation; Criminal Offence | Prepare or conduct legal defence or proceedings and/or reporting to law enforcement authorities. |
| 8. Equality of opportunity or treatment | Processing necessary for identifying or keeping under review the existence or absence of equality or opportunity or treatment between groups of people with the view to enabling equality to be promoted or maintained at a group not individual level. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation | Comply with the Equality Act 2010 through customer or employee surveys, consultations, etc. |
| 10. Preventing or detecting unlawful acts | Processing necessary to prevent or detect an unlawful act or unlawful failure to act. | Criminal Offence | Respond to allegations or suspicions of misconduct Conduct Know Your Client/Customer due diligence Conduct background verification on individuals (e.g. Start Up Loan applications) Respond to allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations Reporting to law enforcement authorities |
| 14. Preventing fraud | Processing carried out to protect public money and prevent and detect fraud. | Criminal Offence | Respond to allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations |
| 15. Suspicion of terrorist financing or money laundering | Processing necessary for certain disclosures made under the Terrorism Act 2000 and Proceeds of Crime Act 2002. | Criminal Offence | Disclosing information in relation to money laundering and terrorist financing Reporting to law enforcement authorities |
Do you have a Freedom of Information Act (FOIA) request?
View our archive of previously answered Freedom of Information Act enquiries or use our contact us form to submit your own.