OakNorth Bank plc (“We”, “us”, “our” or “Bank”) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 629564). Registered in England No. 08595042. Registered Office: 57 Broadwick Street, London, W1F 9QS. References to “You” or “Your” is to the employee, job applicant, intern, former employees, dependents, consultants, contractors and temporary agency workers of the Bank.
The Bank shall collect and process Your personal data for lawful business purposes to administer Your prospective, current or post-employment with us or our contractual relationship with You and to run the Bank’s business. The Bank may collect, use and transfer Your personal data through automated and/or paper based data processing systems for talent pool management, recruitment and in order to provide certain services or benefits relating, but not limited, to: job offer, payroll, health, pension, life cover, immigration, training, computer access, site access, etc. as relevant to Your (offer of) employment or Your visit to our business. On occasion the bank may collect Your data through third parties that you have given specific consent to namely employment agencies, background checking suppliers, individual employer (if you are employed as a consultant or contractor), references from third parties (such as prior employers or references which you provide to us for which we will ask for your specific consent to contact). You can contact our People Operations team:
You can also contact our Data Protection Officer directly by emailing: [email protected] for OakNorth Credit Intelligence or [email protected] for OakNorth Bank.
1. Purposes for which the personal data will be processed:
Before we provide You with certain services or benefits, we shall collect and process Your personal data to conduct and/or facilitate (a) workforce planning, recruitment and staffing; (b) workforce administration, payroll, compensation and benefit programs; (c) performance management, learning and development; (d) advancement and succession planning; (e) legal compliance requests, including compliance with government authority requests for information, liens, garnishments and tax compliance; (f) workplace management, such as travel and expense programs and internal health and safety programs; (g) internal reporting; (h) audits; (i) programs to protect the Bank, its workforce and the public against injury, theft, legal liability, fraud or abuse; and (j) other legal and customary business as relevant. For this, we shall undertake a full background check wherein we will verify the information supplied by You and may compare it to that held by our vendors detailed below. The Bank shall also perform ongoing background checks on an annual basis. We may also ask You to provide physical forms of identity verification including Your passport, Right to Work documentation and driver’s licence as relevant.
If You would like access to the information we receive from any of our vendors or any other source, please contact the People Operations department in order to make a Subject Access Request (SAR). We accept no responsibility or liability for the actions of any of our vendors which act as separate and independent controllers. Any information which is controlled by them and used for the purpose of fraud prevention/credit checks are not governed by our Privacy Policy. We may use any of the following third party providers to undertake these searches. We currently use Experian, Pinkerton, Sterling, Equifax, Cifas, National Hunter, Refinitiv, GBG, Comply Advantage or Dow Jones. We reserve the right to add or remove third-party providers from this list from time to time. These companies collect and maintain data which is often sourced from public record (such as the electoral register or company record) in order to view their privacy notices or contact details please visit their individual websites.
Furthermore, we shall process Your personal data for and on the following purposes/grounds:
| Category of Personal Data | Purpose for Processing | Processing Grounds |
| Contact information
Financial information Educational and training information Recruitment and performance related information Identity information Historical address information Tax residency information Employment status information Online identifier information Risk and/or fraud information |
Operating, maintaining and administering Your (offer of) employment and/or our business | Contract |
| Providing You with the services and benefits related to employment | Contract | |
| Right to Work checks
Preventing or detecting money laundering, financial crimes, fraud or any other illegal activity, carrying out electronic verification checks including criminal records, Politically Exposed Person (PEPs), media, and sanctions checks Carrying out credit searches |
Legal obligation
Legitimate interest |
|
| Contact information
Financial information Identity information Historical address information Tax residency information Employment status information online identifier information Payroll and payment or benefits-related information Information needed for compliance and risk management Risk and/or fraud information |
Internal reporting (for business operation purposes) and external reporting (for compliance with any legal and/or regulatory obligations) | Legitimate interest
Legal obligation |
| Our confidential research and analysis | Legitimate interest | |
| Complying with any other legal and/or regulatory requirements including legitimate requests for information from law enforcement or regulatory bodies/agencies | Legal obligation
Legitimate interest |
|
| Contact information
Financial information Identity information Historical address information Tax residency information Employment status information Risk and/or fraud information |
General record keeping requirements as stipulated by the Regulatory Authority (Financial Conduct Authority (FCA) & Prudential Regulation Authority (PRA)) | Legal obligation |
| Contact information
Identity information Employment status information |
Employment verification | Legitimate interest |
| CV, salary data, first and last name, employer, title, e-mail address, telephone numbers, LinkedIn address, location, introductory (referral source), years in current role | Talent sourcing, talent pool management, managing contact database, maintaining and building an internal recruitment function | Legal obligation
Legitimate interest |
| Health Information which you disclose to us, or which is required for office Health and Safety | The processing of this data is strictly limited for the purpose of maintaining a safe office environment or to support you in executing your job more effectively. As this is a special category of information, we will never process it beyond the specific purpose for which it was provided. We will also delete it as soon as possible after it has been used for its legitimate purpose. | Legal Obligation
Legitimate Interest |
| Glossary of Categories of Personal Data | |
| Category of Personal Data | Included Information |
| Contact information | Postal address, email address, telephone number(s), family and emergency contact details |
| Identity information | Title, name, nationality, gender or gender identification, date of birth, photograph, signature, electoral roll data, passport |
| Historical address information | Minimum five years of address history, immigration, right to work and residence status |
| Educational and training information | Educational awards, certificates and licenses, vocational records and in-house training attendance |
| Employment status information | Career history / resume, employed, self-employed, student, retired, other, years of service, work location, employment ID, work record, references, vacation absences and contract data |
| Recruitment and performance related data | Objectives, ratings, comments, feedback results, career history, work equipment, career and succession planning, skills and competencies and other work-related qualifications |
| Information needed for compliance and risk management | Disciplinary records, background check reports and security data |
| Payroll and payment or benefits-related information | Salary, insurance information, dependents, government identifier or tax numbers, bank account details and employment related benefits information |
| Financial information | Nominated bank account number and sort code, credit history and records |
| Tax residency information | National insurance number, foreign tax identification number(s), citizenship(s) |
| Risk and/or fraud information | Information held by fraud prevention and risk management agencies which may include information about Your identity, activities, credit information, allegations or criminal convictions |
| Online identifier information | IP address, cookies |
| Directorship information | Directorship role of business |
| Shareholding information | Beneficial ownership of business |
We will retain Your personal data, that You supply as a part of Your onboarding and/or through Your other interactions with us (including identification data, product data, email correspondence, and transactional information) both on paper and on computer, and/or other electronic devices for six years after the termination of our employment relationship to comply with legal and regulatory obligations (including any possible fraud, financial crime and complaints investigations), to retain a reference and audit trail of any discussions, and to preserve a record of employment history to facilitate a streamlined employment journey for any future new employment applications. If You apply for any vacancy, but do not join and/or employment is not being offered to You for any reason, the same personal data will be retained for three years after the closing date of Your application for the same reasons or six years where there is a legal obligation to do so. To support our recruitment a subset of your data limited to: CV (only if you provided), Salary Data (only if you provided), First Name, Last Name, OakNorth contact, i.e., whether we approached you about a role and your response, Prospective Job (if relevant), Current Employer, Current Title, E-mail address (personal and work as applicable), All Listed Telephone Numbers (as available), LinkedIn address (as applicable), Current Location, Years Spent in Current Role, Any Other Notes (which are held in strict confidence and only obtained through e-mail conversations), and Interview Schedules, will be kept in our files for not more than 6 years. Interview notes and related feedback associated with unsuccessful applications will be destroyed six months from their date of creation. However, if a process was partially successful and the feedback anywhere from average to excellent, these notes and feedback will be retained for two years. Furthermore, your data may be shared with our sister company, OakNorth (UK) Ltd and any other OakNorth’s group companies as a part of our general recruiting practice. As a result, you may equally be considered for roles in OakNorth or OakNorth (UK) Ltd.
We will retain records in accordance with our retention policy and to comply with regulatory requirements, which can be up to six years after you left OakNorth. This includes retaining backups of our systems infrastructure for disaster recovery purposes and for the protection of data and collecting temporary logs of online applications to record Your application progress and provide support in the case of any application issues.
We may monitor or record business calls, emails, text messages or other communications related to business in accordance with applicable laws. Such recording or monitoring may take place for business purposes such as quality control and training, prevention of unauthorised use of our telecommunication systems and website, ensuring effective systems operation, prevention or detection of crime, and protection of confidential information relating to the Bank, including personal data of any user connected with their account(s). Call recordings may be retained for six months from the day of the call, or three years in case the call recording is part of a complaint which has been raised and the retention of which may be necessary to comply with any legal and/or regulatory requirements.
We may process Your personal data from business cards where the information was captured in a personal networking capacity as part of our business operations, relying on legitimate interest. We will ensure the processing is fair, proportionate and in line with normal business practice.
We may use 3rd party processors for our confidential research and analysis and/ or for payroll, background verification etc.
When You visit our website, we will set essential cookies on Your device, but request Your consent to set non-essential cookies. You can find out more about how we use cookies in our Cookie Policy. However, please note that we use Google Analytics, a third-party web analysis service provided by Google Inc., which uses performance cookies and targeting cookies. The information generated by these cookies about Your use of the Website (including Your IP address), will be transmitted to and stored by Google Inc. on servers in the United States. Google will use the information collected for the purpose of evaluating Your use of our Website on our behalf, compiling reports on website activity and providing other services relating to activity and internet usage to us. Google will not associate Your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on Your browser as described above. Furthermore, You can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en-GB. This creates an opt-out cookie which prevents the further processing of Your data. For more information about Google Analytics cookies, please see Google’s help pages and privacy policy. If You prevent these cookies, we cannot guarantee how the Website will perform for You.
We shall inform You by way of a dedicated email if our privacy policy has materially changed because of an update in the law or if there are changes to the nature of the processing of Your personal data. We will not email You when we make minor changes (such as to correct typographical errors, or to add information about other services which do not affect the processing of personal data), but we shall make the updated policy available on our website at all times.
2. Data transfers
We will take appropriate security measures to ensure that Your personal data is protected and secured in accordance with the relevant data protection laws, including the EU General Data Protection Regulation (GDPR) and post-Brexit the amendments known collectively as UK GDPR. We will only disclose information about You to third party data processors who shall process Your personal data on our behalf (like our service provider and affiliate entity, OakNorth Global Private Limited in India). We may also disclose information about You if we are required by law or regulation to do so. We shall ensure that our data processors shall process Your data based on our instructions and have appropriate data security measures to protect Your personal data.
In some cases, we may need to transfer Your information to third parties overseas including to our affiliate entity: OakNorth Global Private Limited in India, i.e. outside the European Economic Area. However, we will ensure that adequate procedures and safeguards such as the European Commission Model Contract Clauses (and subsequent UK GDPR Addendums) as an example, are in place to protect Your personal data at all times and that any affiliates and third parties are contractually obligated to provide an adequate level of data protection in accordance with the EU data protection laws.
The UK government has and is agreeing to inter-governmental agreements to share tax information. We ask for details of Your tax residency and in some cases tax reference numbers to enable us to comply with the related UK legislation. If You are a US person (US passport or US Born or US Registered address or US Taxpayer) we may be obliged to provide any required details about You and Your account with us to comply with the Foreign Account Tax Compliance Act (FATCA).
If we believe that we have tax obligations in other countries, we may disclose information about the Bank directly to those tax authorities or to HM Revenue & Customs, who may share that information with other tax authorities. We may disclose information we hold about You directly to those tax authorities or to HM Revenue & Customs, who may also share that information with other tax authorities.
3. Impacts of processing
If we determine that You pose a fraud or financial crime risk (which may be based on information provided to us by a fraud prevention agency), we may refuse to provide the employment You have requested, or we may terminate Your employment with the Bank. A record of any fraud or money laundering risk will be retained by us for so long as is permitted by law and may result in others refusing to provide employment to You.
If false or inaccurate information is provided and fraud is identified or suspected, we may pass information to financial and other organisations involved in fraud prevention to protect us and our customers from theft and fraud.
Law enforcement agencies may also access and use this information to detect, investigate and prevent crime. We may provide the law enforcement agencies with information about You which we consider relevant to assist with any investigation of criminal activity.
4. Your rights
Your personal data is protected by legal rights (where applicable), and may include:
4.1 The right to be informed
4.1.1 The right to be informed encompasses our obligation to provide ‘fair processing information’ through a privacy notice. It emphasises the need for transparency over how we use personal data.
4.2 The right of access
4.2.1 You have the right to access Your personal data and supplementary information. The right of access allows You to be aware of and verify the lawfulness of the processing of Your personal data. The right of access allows You to submit a Subject Access Request (SAR) for a copy of the personal data that we hold about You.
4.3 The right to rectification
4.3.1 The GDPR gives You the right to have personal data rectified if it is inaccurate or incomplete.
4.4 The right to erasure
4.4.1 The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable You to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances, such as:
a. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
b. When You withdraw consent where consent is based on the points below, without affecting the lawfulness of processing based on consent before such withdrawal.
i. Where You have given consent to the processing of Your personal data for one or more specific purposes; or
ii. Where You have given explicit consent to the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation for one or more specified purposes, except where Union or UK law provide that the prohibition may not be lifted by the data subject.
For example, if You provided consent to direct email marketing, You have the right to withdraw this consent.
c. When You object to the processing and there is no overriding legitimate interest for continuing the processing.
d. The personal data was unlawfully processed.
e. The personal data has to be erased in order to comply with a legal obligation.
f. The personal data is processed in relation to the offer of information society services to a child.
4.5 The right to restrict processing
4.5.1 You have the right to ‘block’ or suppress processing of personal data, which will make it restricted, and permit us to store the personal data, but not to process it further. We would retain just enough information about You to ensure that the restriction is respected in the future. We will be required to restrict the processing of Your personal data in the following circumstances:
a. Where You contest the accuracy of Your personal data. We will restrict the processing until we have verified the accuracy of the personal data.
b. Where You have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override Your individual rights.
c. When processing is unlawful and You oppose erasure and request restriction instead.
d. If we no longer need the personal data but You require the data to establish, exercise or defend a legal claim.
4.5.2 We must inform You when we decide to lift a restriction on processing.
4.6 The right to data portability
4.6.1 The right to data portability allows You to obtain and reuse Your personal data for Your own purposes across different services. It allows You to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies to personal data You provided to us, where the processing is based on Your consent or for the performance of a contract; and when processing is carried out by automated means.
4.7 The right to object
4.7.1 You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. You must have an objection on “grounds relating to Your particular situation” if processing is based on performance of a legal task, our legitimate interests, or research purposes.
4.8 The right in relation to automated decision making and profiling
4.8.1 Article 22 of the GDPR has additional rules to protect You if we are carrying out solely automated decision-making that has legal or similarly significant effects on You. We will only carry out this type of decision-making where the decision is: necessary for the entry into or performance of a contract, authorised by Union or UK law applicable to us, or based on Your explicit consent.
5. CCTV
We use CCTV for the purposes of public safety, crime prevention and detection, and the prosecution of offenders. Our CCTV cameras operate 24/7. We keep CCTV records for up to a month, except CCTV footage of fire drills which may be kept for up to six years.
For more information or to exercise Your data protection rights, please contact People Operations or the Bank’s DPO using the contact details above.
6. Recording of Meeting
On occasion we will record online meetings via tools such as Zoom or MS Teams to enable minutes to be recorded and or to support training. In all cases you will be informed that the meeting is being recorded. In general, we delete all meetings after 1 month, however, on occasion where the meeting delivered training for which there may be a specific need to distribute this to the wider staff population we may hold this recording for up to 1 year.
7. Covid-19 Specific Monitoring
During the Covid-19 pandemic we may require You to undertake a self-administered test if you are visiting the office. The results of the test are collected via a form which generates an e-mail communicated daily to the office manager ahead of Your arrival in the office and are deleted immediately. The specific purpose for this is to keep the office a safe working environment during the pandemic. We will not store or process this data other than for this purpose.
If You have a complaint about how we have used your information, You should contact our Business Desk using the contact details above so that we can assist You in dealing with Your complaint, however, You also have the right to complain to the Information Commissioner’s Office (ICO), which regulates the processing of personal data. Information on how to report a complaint to the ICO can be found on their website: www.ico.org.uk or by calling them on 0303 123 1113.
This notice was last updated April 2022.