Employee and Recruitment Privacy Policy

We are Castle Trust Group consisting of “Castle Trust Bank” and “Omni Capital Retail Finance (OCRF)”. This policy details the types of data we use, why we use it and how.  

1.1        “We”, “Us” and “Our” refers to Castle Trust Group which consists of:

·      Castle Trust Capital plc, company number 07454474, authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

·      Omni Capital Retail Finance Limited, company number 07232938, authorised and regulated by the Financial Conduct Authority.

1.2        Our registered office is 10 Norwich Street, London, EC4A 1BD.  Both firms are registered in England and Wales.

1.3        For the purposes of data privacy laws, we are a Data Controller in relation to the information that we collect and hold about you. This means that we are responsible for ensuring that your data is processed fairly and lawfully by us.

2.1        This Privacy Policy applies to all current, former and prospective: directors, employees, workers, agents and contractors (including, for the avoidance of doubt, self-employed consultants) working with or for Castle Trust Group.  Throughout this policy we refer to employees.  In the context of this policy only the phrase “employee” should be taken to include directors, employees, workers, agents and contractors (including, for the avoidance of doubt, self-employed consultants) but does not imply nor should be assumed to imply or create any specific relationship between any person to whom this policy applies and Castle Trust Group.

2.2        This policy does not form part of any employee’s contract of employment and may be amended at any time.

2.3        In the course of your work, you may come into contact with and use confidential personal information about other employees, clients, customers, suppliers, agents, contractors and other people, such as their names, email addresses and home addresses.  This Policy helps you to ensure that you do not breach data protection laws.  There are strict rules governing the collection, retention, storage, use and disclosure of personal information.  Information protected by these laws includes not only personal data held on computer but also certain manual records that form part of a structured filing system.  If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from your Manager or Castle Trust Group’s Data Protection Officer.  It is a criminal offence to knowingly or recklessly disclose personal data in breach of the laws and any such action could also result in significant fines for the Company, as well as irreparable damage to the Company’s reputation.  Accessing another employee’s personal records without authority is a disciplinary offence and may amount to potential gross misconduct.

You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this policy. You might need a copy of the information we hold, or you may ask us to correct it or delete it amongst other things. This section explains your rights and what to do if you’re not happy.

3.1          Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

·        Object to processing of your personal information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object to being subject to automated decision processes and where we are processing your personal information for direct marketing purposes.

·        Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Where we have requested a reference in confidence from a referee and that reference has been given on terms that it is confidential and that the person giving it wishes that it should not to be disclosed to you, it is our policy that it would not normally be reasonable to disclose such a reference to you unless the consent of the person who gave the reference is first obtained. 

We reserve the right not to disclose to you any management forecasts or management planning documentation, including documents setting out the Company’s plans for your future development and progress.  We will also not disclose to you any information that contains personal data of any other person.

·        Request correction of your personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

·        Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see above).

·        Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

·        Request the transfer of your personal information to another party in a machine-readable, commonly used and structured format.

Where you have previously given us your permission to use your personal information, you may withdraw that permission. Where your permission is withdrawn, your previous consent will remain valid in respect of our use of your information prior to the date you withdrew it, or if any marketing material has been sent prior to you advising that you do not wish us to contact you again.

If you wish to exercise any of these rights then please contact the Data Protection Officer (see section 10).

Please note that in some cases, even when you make a request concerning your personal information, we may not be required, or may not be able, to honour it as this may result in us not being able to fulfil our legal and regulatory obligations or there is a minimum statutory period of time for which we have to keep your information. If this is the case, then we will let you know our reasons.

3.2          Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

3.3         Your Obligations in Relation to Personal Information

3.4 You must comply with the company’s policies and procedures pertaining to data protection at all times:

3.4.1 Do not give out confidential personal information except to the data subject, unless the data subject has given their explicit consent to this.

3.4.2 Be aware that those seeking information sometimes use deception in order to gain access to it.  Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone. 

3.4.3 Only transmit personal information between locations by fax or email if a secure network is in place, for example, a confidential fax machine or encryption is used for email.

3.4.4 If you receive a request for personal information about another employee, you should forward this to your Manager, HR or the Data Protection Officer.

3.4.5 Ensure that any personal data which you hold is kept secure in accordance with Castle Trust’s policies and procedures.

3.4.6 Do not send personal data to any email recipient outside the European Economic Area (EEA) without their prior explicit consent.

3.5          Fees

You will not have to pay a fee to access your personal information (or to exercise any of the other rights).  In some cases, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, or if you request multiple copies of the information.  Alternatively, we may refuse to comply with the request in such circumstances.

3.6          What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

3.7          Right to complain

If you wish to request further information about any of the above rights, or if you are unhappy with how we have handled your information, contact the Data Protection Officer (see section 10 for contact details).

If you are not satisfied with our response to your complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office: https://ico.org.uk/global/contact-us/ 0303 123 1113.

We collect the following kinds of information about you:      

4.1          Information you provide to us

You provide us, or our agents, with certain information when you apply to work or become employed by Castle Trust. This includes:

·        Your name, address, date of birth, email address and telephone number;

·        Previous address details;

·        Bank account details;

·        Special categories of personal information such as gender; nationality; racial or ethnic origin; health related information or information relating to disabilities; age; religion or belief; sexual orientation

·        In certain circumstances, utility bills, bank statements or copies of official identity records such as passports, driving licences or birth and marriage certificates; and

·        Details of criminal convictions.

4.2          Information obtained from credit reference agencies

We obtain a copy of your credit file from credit reference agencies TransUnion, Experian and Equifax. For detailed information on the information obtained and how it is used, see section 7.1.

4.3          Combining data

The information you give us may be combined with other information about you that is obtained from other sources. The combination is usually undertaken with a view to enhancing an existing database with more information. This will include:

·        The information you give us may be compared with data available elsewhere in the public domain such as social media profiles or electoral role information to verify your identity or validate the information you have provided (for example, professional networking sites for employment history).

4.4          Information provided from your use of our website

We gather information about how often you and other users access the website, the way in which you navigate around it, and how long you spend on particular pages.

4.5          Information from your devices when you use our website

We gather information about the devices that you use to access the website, such as the operating system, hardware, software versions, browser configuration, display size, browser configuration and connection information such as IP addresses.

We use cookies to recognise when you return to our site and to compile anonymous, aggregated statistics that allow us to understand how users use our site and to help us improve the structure of our website. We also use cookies to measure performance of our web server and, via a third party, allow you to leave comments on our blog pages. You can find more information about the types of cookies we use in our Cookie Policy.

4.6          Other information

We monitor or record your communications with us to meet our regulatory obligations and to improve our services.

If you provide us with information about another person, it is important you gain their consent and tell them what information you are providing and why, for example, details of your next of kin. If they do not want their information given to us, then you should not provide it. If they would like to know more, they can have a copy of this Privacy Policy or they can write to our Data Protection Officer using the contact details in section 10.

We collect information about you for the following purposes:          

5.1          Verifying your identity

The information you provide will help us to verify your identity so that we know we are dealing with the correct person. We do this by checking the information you give us against external databases such as the electoral roll and your credit file.

5.2          Recruitment and employment

We will use the information that we hold about you in order to enter or look to enter into a contract of employment with you and to fulfil our obligations under such contract. This includes contacting you to communicate with you in connection with our services and to deal with any queries concerning the data that we hold.

5.3          Fraud prevention and other legitimate interests

We will use the information in order to detect or prevent fraud and to comply with our legal obligations (for example, to ensure that no-one has fraudulently used your details or to confirm you have only entered information about yourself). Information can be used to corroborate your details (including using third parties to undertake those checks on our behalf).

Information is also being used, by us or third parties (see section 6), for credit and risk assessment and identification.

5.4          Automated decision making and decisions made based on Profiling

Automated decision-making occurs when an electronic system uses data to make a decision without any human intervention. We may use automated decision-making in the following circumstances:

·        Where it is necessary to perform the contract of employment and we have put appropriate measures in place to safeguard your rights.

·        With your explicit consent and where we have put appropriate measures in place to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you of this fact.

As your employer we hold a variety of information about you in our systems. This data includes but is not limited to your name and address, salary details, bank details, gender, nationality, health related information or information relating to disabilities, age, religion or belief, sexual orientation and details of criminal convictions.  This information will only be used in order that we can monitor our compliance with the law and best practice in areas such as recruitment, equal opportunity, pay and benefits, administration, performance appraisal and disciplinary matters.  If your personal information changes, you should let us know so that our records can be updated. 

In some circumstances, we may have to hold, and process, sensitive personal data about you.  This will be, for example:

·        information about your physical or mental health in order to monitor sick leave and take decisions about your fitness for work; and

·        your racial or ethnic origin, or religious or similar beliefs, in order to monitor compliance with equal opportunities legislation. 

In addition, there may be situations where we process information relating to your criminal record.  This may include, for example, undertaking criminal records and/or DBS checks against potential employees and/or keeping on our files information relating to certain criminal convictions of employees whilst in our employment. 

In both of these circumstances the lawful basis for processing is slightly different.  When processing this ‘sensitive’ personal data, including criminal record information, we will rely upon the lawful bases of ‘Consent’ (only for information that you voluntarily provide to us), ‘Legal Obligations’ and ‘Vital Interests’.

No matter what kind of personal data we hold about you (whether sensitive or otherwise) we will only hold the minimum amount of data that we require to comply with our obligations and it will only be retained for as long as it is required to enable us to comply with our legal obligations.  After this time it will be permanently deleted. All data is retained in accordance with our Data Retention Policy, a copy of which is available on the firm’s shared drive, or can be supplied upon request using the contact details in section 10.

We will share your information with selected third parties who provide Castle Trust Group with professional services.  This may include, for example, passing information to our accountants and/or professional advisers to enable them to best advise us in relation to a specific matter.  In such circumstances, we will only pass the minimum amount of information that is required to enable those advisers to provide us with the advice required.  The lawful basis for this processing will be ‘Legitimate Interests’.  We have a legitimate interest in passing your information to such third parties but will ensure at all times that your rights are not infringed in any way and that the personal data we transfer is kept secure and only used for the purpose for which it was provided.

Unless you expressly authorise its disclosure, your personal data will not be disclosed to anyone else other than:

·        authorised employees,

·        other companies within the Group,

·        those who provide relevant products or services to the Company,

·        regulatory authorities,

·        potential or future employers,

·        governmental organisations,

·        and potential purchasers of the Company or of that part of the business in which you work. 

·        credit reference agencies;

·        accountants;

·        auditors;

·        lawyers;

·        information technology and information security providers; and

·        market research and analytics companies.

·        payment service providers

·        ID verification providers

We share your personal information with these service providers for the purposes of managing our business and dealing with you as an employee of that business.

If you would like further information regarding the specific named recipients that we share data with, please contact the DPO.

7.1          Credit Reference Agencies

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”).

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

·        Verify the accuracy of the data you have provided to us;

·        Prevent criminal activity, fraud and money laundering;

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other searchers.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at Experian www.experian.co.uk/crain, TransUnion www.transunion.co.uk/crain and Equifax www.equifax.co.uk/crain.

7.2          Fraud prevention, law enforcement agencies and other non-marketing users

We may share your personal information, or any suspected fraud relating to you, with law enforcement agencies and regulators where we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation, or if we reasonably consider that this is necessary to help prevent or detect fraud or other crime or to protect the rights, property, or our safety, our customers or others.

The personal information you provide (including your email and internet protocol (IP) addresses) may also be copied, stored, used and licensed to assist with identity verification, prevention of fraud and money laundering, service delivery and process implementation.

We may share your information if we are under a duty to disclose or share your information with HM Revenue & Customs (HMRC), who may transfer it to the government or the tax authorities in another country where you may be subject to tax.

We may also share your personal information with any other third parties where we are required to do so by law.

The results of your identity check may also be disclosed to authorised third parties through credit referencing, fraud prevention, risk assessment and identification products.

7.3          International transfers

We transfer, use and/or store your personal information outside of the European Economic Area (“EEA”) and the laws of some of these destination countries may not offer the same standard of protection for personal information as in the UK.

We currently transfer data to third parties for processing outside of the EEA for the purposes of verifying your identity and providing you with employee benefits.  We may update this list from time to time and any changes will be communicated to you via an update to this privacy notice.

Transfers to our third-party service providers are to enable them use and store your personal information on our behalf.  We will, however, put in place appropriate security procedures in order to protect your personal information. We also ensure that, where your information is transferred to any country outside the EEA this is done using specific legally-approved safeguards.  You can request further details and a copy of these by contacting the DPO (see section 10).

We will keep your information only for as long as necessary depending on the purpose for which it was provided. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from the Data Protection Officer.

Personal data will be retained as necessary during the course of your employment and records will be retained for up to seven years after you leave the Company’s employment in case legal proceedings arise during that period.  Different categories of data may be retained for different periods of time depending on legal, operational, regulatory and financial requirements.  Data will only be retained for a period of longer than seven years if it is material to ongoing legal proceedings or it should otherwise be retained in the interests of the Company or for regulatory reasons after that period (for example, relating to a company pension scheme or employee benefit scheme).

Manual personal data, such as personnel files, is stored in locked filing cabinets and is only accessible by certain authorised persons.  Personal data held on computer is stored confidentially by means of password protection.  We have a network of back-up procedures to ensure that data on computer cannot accidentally be lost or destroyed.

We are aware of the importance of safeguarding the information under our control and endeavour to take all reasonable steps to protect it. All data collected through the website is stored on secure servers, and we have stringent security and confidentiality procedures covering the storage and disclosure of such information in accordance with the current data protection regulations.

We link to a wide variety of other sites. We are not responsible for the content or privacy policies of these sites, nor for the way in which information about their users is treated. In particular, unless expressly stated, we are not agents for these sites nor are we authorised to make representations on their behalf.

You may write to us at:

Or by email at: DPO@castletrust.co.uk