The Chartered Banker Institute is a professional Institute incorporated under Royal Charter, which is registered as a charity in Scotland (number SC013927) and having its principal office at Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom.

This Privacy Notice explains the Institute’s approach to how we use and protect the information that you provide to us. The Institute must comply with the UK Data Protection Act 2018 and the UK General Data Protection Regulation.

Last modified: 25 March 2021

Effective from: 6 April 2021

Privacy Policy

Our commitment

We are fully committed to handling personal data safely and securely, and in accordance with the applicable data protection legislation, guidance and best practice. This means that your personal data will be:

  1. Processed lawfully, fairly, and in a transparent manner.
  2. Collected for specified, explicit and legitimate purposes.
  3. Only collected so far as required for our lawful purposes.
  4. Kept as accurate and up to date as possible.
  5. Retained for a reasonable period of time, in accordance with retention policies.
  6. Processed in a manner which ensures an appropriate level of security.

Whether through this notice or otherwise, we hope to be as transparent as possible. We aim to ensure that you have an understanding of how and why we use your personal data, and the rights you may have as a data subject.

What personal data does the Institute collect?

We collect personal data to fulfil our role as a professional body. As there are many different aspects to this role, the information requested and collected may vary.

From our members:
The personal data most commonly collected from our members, student members and prospective members usually include:

  • Personal identifiers, such as name and date of birth
  • Contact details (including home and business addresses, email, telephone number)
  • Employment details (including current and previous employers)
  • Information connected to education and training (including assessment data)
  • Records of learning and development activity (CPD records)
  • Attendance records for our courses and events
  • Information regarding investigation and disciplinary processes
  • Records of enquiries, meetings and other direct engagement
  • Copies of physical and electronic correspondence
  • Payment information (e.g., debit/credit card details for paying membership subscriptions)
  • Financial Conduct Authority Registration Number
  • Assessment data (examination results, assignment results and experiential assessments)
  • Any special circumstances and reasonable adjustments.

From non-members:
Such individuals might include members of the public, business contacts supporting our members, those interested in the work of the Institute or individuals attending events we have organised. The personal data most commonly collected from these individuals are:

  • Name
  • Contact details (including home and business addresses, email, telephone number)
  • Records of enquiries, meetings and other direct engagement
  • Information regarding investigation and disciplinary processes
  • Copies of physical and electronic correspondence

When people access our online services, for example via our website www.charteredbanker.com, we may also collect information. We use this information to improve the user experience, and to help us better understand the ways in which our website is used. This may include information about:

  • The computer or device type
  • IP address
  • Operating system
  • Browser type and version
  • Time zone setting and browser plug-in types and versions.

This is statistical data about users browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.

Does the Institute process any special categories of personal data?

We may collect special categories of personal data about you, as is appropriate in our duty to fulfil our role as a professional body. The data we may collect are:

  • Evidence of medical conditions where reasonable adjustments have been put in place for examinations, other assessments or access to resources.
  • Any special dietary or access requirements, for example, you are attending an event organised by the Institute.

We will not use this information without your prior agreement, and only for the purposes of organising and running the event. 

Why does the Institute need to process personal data?

We use and store the personal data we collect so that we can approve members and support their professional development in our role as a professional body. The personal data we collect will also enable us to contact you concerning your queries regarding our services and functions.

This includes (but is not limited to):

  • Quality and training purposes.
  • Providing a wide range of member services.
  • Providing a wide range of training services.
  • Organisation and administration of events.
  • Awarding of qualifications upon completion.
  • Apprenticeship programmes.
  • Acknowledgment of special circumstances and reasonable adjustments.
  • Recognition of learning and development activity.
  • Provision of bespoke training services to employers.
  • Notifying you of updates and changes to our services.

 

How does the Institute collect personal data?

Like most organisations that handle personal data, there are various ways in which we collect personal data including:

  • Email and written correspondence
  • Telephone discussions
  • Visitors to our website
  • Social media
  • Application forms and other information requests
  • From our members' employers (e.g., when a bank enrols its employees for one of our professional qualifications)
  • Direct contact at our offices and elsewhere
  • Bulk enrolments received from corporate clients

In nearly all instances, it should be obvious to you that we are collecting your personal data.

What is the lawful basis for the Institute’s processing activities?

The Institute will only process your personal data where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. Our legal basis for the processing of personal data is as follows:

Consent: you have given clear consent to the Institute to process your personal data

Contract: the processing is necessary for the fulfilment of a contract

Legal obligation: the processing is necessary for the Institute to comply with the law

Vital interests: the processing is necessary to protect your vital interests, including the protection of rights and freedoms

Public interests: the processing is within the official authority of the Institute and in the public interest

Legitimate interests: the processing is necessary for the Institute’s legitimate interests or legitimate interest of a third party, unless the processing is overridden by the vital interests, including rights and freedoms.

Consent

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

In circumstances where consent is required for the Institute to process personal data, it must be explicitly given. For sensitive personal data we will always tell you why and how the information will be used.

You may withdraw consent at any time by completing a Withdrawal of Consent Form available here:  

GDPR_REC_4.6A - Withdrawal of Consent Form


Once the form has been completed and returned to the Institute, processing of the data is stopped in accordance with the relevant process.

Does the Institute share personal data with third parties?

Some of the processing activities set out above require the Institute to share personal data with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.

In some circumstances the disclosure of Personal Data to third parties may involve the transfer of data outside of the UK in accordance with the requirements of the applicable data protection legislation. We will only transfer Personal Data outside of the UK where we are satisfied that:

  • The country has Data Protection laws similar to the laws in the UK;
  • The recipient has agreed through contract to protect the information to the same Data Protection standards as the UK;
  • We have obtained consent from relevant data subjects to the transfer. If, in order to provide you with our services, we must transfer data outside of the UK, to a country which has not received an adequacy decision, then we will require additional safeguarding measures be put in place.

The main third parties with whom the Institute shares personal data include (but are not limited to):

  • Our Board of Trustees, as well as members of Institute Boards, Committees and Fora who assist us in fulfilling our role as a professional body.
  • Academic Associates who assist us in fulfilling our role as an Awarding Body and also as a provider of Professional Education.
  • Financial services and other regulators, as well as relevant statutory bodies (e.g., HMRC, SCQF, the Financial Conduct Authority).
  • Other professional bodies (on a ‘regulator-to-regulator’ basis).
  • Corporate customers.
     

Software providers which allow the Institute to operate efficient digital processes (including but not limited to):

  • ECom
  • Pixl8
  • Sage
     

Third party suppliers which allow the Institute to provide services to its members (including but not limited to):

  • Access Group (formerly Unicorn
  • PearsonVue
  • Knowledgepool
  • Turnitin
  • Command Publishing
  • Caliqual Ltd
  • GoodPractice
  • BPP Holdings Ltd
  • Vitalsource
  • Kaplan Financial Ltd

For practical reasons, this is an indicative, but not exhaustive list and is kept under review.

 

Examination Services

Our examination services are provided by PearsonVue.  

When booking your examination, you will be referred to further privacy policies specific to sharing your data with PearsonVue. This consent is required to provide you with your examination and to ensure it runs as smoothly as possible. Your data will be used for the purposes of identity verification, incident investigation and resolution and for the integrity of the exam and assessment process. 

If you are using the online invigilation service, meaning you are not taking your exam at an one of our approved test centres, you will be asked to give your consent to PearsonVue collecting and recording some additional personal data, described as biometric data.  This can include a facial or ID photograph and images taken during your exam – screenshots of the PC used, the exam setting/surroundings, and video of the exam session itself. The collection of such data is optional, but necessary if you choose to use the online invigilation service. 

Please be assured that we have taken steps through our careful selection and contracting with our partner to ensure the security of your data and conduct regular reviews with our partner.  

The data you provide to PearsonVue and any which we share with PearsonVue on your behalf, is encrypted in transit and at rest, and is stored in physically secured and hardened data centres. None of your biometric data is shared with the Institute. PearsonVue retains your personal data no longer than is necessary for the purposes for which it is processed. The length of time for which PearsonVue retain information may also depend on the specific retention periods set out by us as the awarding organisation, and any applicable laws. 

When booking your exam, we advise that you read the relevant privacy notices carefully. 

For how long does the Institute retain personal data?

The periods for which the Institute retains personal data will depend on the purpose for which the data has been obtained. In general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes.

Please note that as an awarding and membership body, we are required to retain certain information about our members indefinitely, such as the period of membership, qualifications and level of membership attained.

If you would like more information about our Retention Schedule, please contact the Institute’s Data Protection Representative by email: [email protected]

How does the Institute process cookie files?

Our website makes use of cookie files to distinguish you from other users of our site, and to provide you with a bespoke user experience tailored to your individual preferences. A cookie file (a small file of letters and numbers) will be placed on your computer or other access device each time you visit our site.

We also use analytical cookie files. These allow us to recognise and count the number of visitors to our site and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily. If you wish to delete any such cookie files, please refer to the instructions for your file management software to locate the file or directory that stores cookies.

You may refuse to accept cookie files when visiting our site, by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you choose this setting, you may not get an optimal web site experience and be unable to access certain parts of our site.

Information on our cookie policy is available here.

Your rights where the Institute is processing your personal data

At any point while we are in possession of or processing personal data, you have the following rights:

  • Right of access to your personal data
    You have the right to request a copy of the personal data that the Institute holds about you.
  • Right of rectification
    We want to make sure that your personal data is accurate, complete, and up to date, and so you may ask us to correct any personal data about you that you believe does not meet these standards. You can do this by emailing: [email protected].
    You may also log in to our member homepage to update your own details at anytime.

 

  • Right to erasure
    You have the right to ask us to delete personal data about you, where:
  • You consider that we no longer require the personal data for the purposes for which it was obtained
  • We are using the personal data with your consent and you have withdrawn your consent
  • You have validly objected to our use of your personal data
  • Our use of your personal data is contrary to law or the Institute’s other legal obligations.

Please note that as an awarding and membership body, we are required to retain certain information about you, such as period of membership, qualifications and level of membership attained. Should you enact your right to erasure, such data will be anonymised and retained in a secure archive.

  • Can I change how you use my data?
    You have a right called the right to restrict processing. This means you can ask us to only use or store your information for certain purposes or as us to restrict how we use your personal data.

    For example, we are constantly aiming to provide you with more services in areas you are interested in and you may have shared preferences with us to do so.

    However, if you don’t want us to use your information in this way, then you can ask us to stop, or you change your preference settings online.

    The right might also apply if the Institute no longer has a basis for using your personal data, but you don't want us to delete the data.  Where this right is validly exercised, we may only use the relevant personal data with your consent, for legal claims, or where there are other public interest grounds to do so.

    Sometimes we can meet your request to change how we use your information. However, other times it’s just not possible, like if the law tells us we can’t or in order to meet our role as a professional body and awarding body.

  • What about marketing?
    We may use your personal data to provide you with information about our services and/or products, which we consider may be of interest to you.

    You have the right at any time to require the Institute to stop using your personal data for direct marketing purposes.  Members can update your preferences of how and what we communicate to you at any time through our preference centre. Our newsletters and other marketing and events communications also make unsubscribing easy by following the option to unsubscribe. You can of course always contact us if you wish to make changes.
  • Withdrawing consent to using your information
    Where we use your personal information with your consent, you may withdraw that consent at any time, and we will stop using your personal information for the purpose(s) for which consent was given.

In some cases, you may ask us to restrict how we use your personal data. This right might apply, for example, where we are checking the accuracy of personal data we hold about you, or assessing the validity of any objection you have made to the Institute's use of your personal data. The right might also apply if the Institute no longer has a basis for using your personal data but you don't want the Institute to delete the data. Where this right is validly exercised, the Institute may only use the relevant personal data with your consent, for legal claims, or where there are other public interest grounds to do so.

If you wish to exercise any of these rights, please contact us – please see the ‘Raising a Concern’ section of this policy. Any requests will be forwarded on to the Institute’s Data Protection Representative without undue delay. A record of the request will be kept for compliance purposes and confirmation will be sent once the request has been actioned. If any third parties are involved in the processing of the data, they will also be informed.

Raising a concern

In the event that you wish to raise a concern or make a complaint about how your personal data is being processed by the Institute (or third parties as described above), or are concerned about how your data has been handled by us, you have the right to lodge a complaint with the Institute or directly with the Information Commissioner’s Office (ICO).

We provide guidelines on our website to help you raise any concerns with us: CBI - Customer Service Information.

The ICO also provides some useful guidance on how to raise a concern: https://ico.org.uk/your-data-matters/raising-concerns.

You can raise a concern or lodge a complaint with the Institute in the following ways:

  • By telephoning the Institute on +44(0)131 473 7777
  • By emailing the Data Protection Representative directly at [email protected]   
  • By writing FAO The Data Protection Representative, Chartered Banker Institute, Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh, EH3 7SW.   

 

You can raise a concern or lodge a complaint with the ICO in the following ways:

  • By telephoning - 0303 123 1113 (local rate) or 01625 545 745
  • Via the ICO website: https://ico.org.uk/concerns
  • By writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Changes to our privacy notice

We keep this notice under regular review and will place any updates on our website.  Paper copies of the privacy notice may also be obtained by emailing [email protected] or in writing to our office at Chartered Banker Institute, Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom.

Please Note: During the Covid-19 pandemic, we are working remotely. We recommend that you use email to contact us in the first instance at this time.

Contact information and further advice

If you have any questions which are not covered in this notice, we suggest that you contact our Data Protection Representative by emailing: [email protected]

To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Representative’.  

Please note that during the Covid-19 pandemic, we are working remotely and therefore recommend that you contact us by email in the first instance. However, should you prefer to submit your questions in writing, these can be addressed to our office at Chartered Banker Institute, Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom, addressing your letter to the Data Protection Representative – uplift and forwarding of mail will depend on the particular restrictions in operation at that time.