Intelligent Lending Limited (trading as Ocean, Ocean Finance, CredAbility) is committed to protecting the privacy and security of your personal information.
This privacy policy describes how we collect and use personal information about you in accordance with the data privacy laws and regulations.
Intelligent Lending Limited is a Data Controller, which means that we determine the purposes and mean of processing your personal information. We are registered directly with the Information Commissioner’s Office (ICO) and our registration number is Z7306888
This privacy policy applies to potential, current and former employees, workers and contractors. This notice does not form any part of any contract of employment or other contract to provide services.
If you have any questions about how we may use your personal information you can contact us using the details below or speak to your manager.
HR Department
Intelligent Lending Limited
Think Park
Mosley Road
Trafford Park
Manchester
M17 1FQ
Email: HR@ocean.co.uk
It is important that you read and retain this privacy policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data privacy laws and regulations.
Date last updated: 26/07/2022
1. What personal information do we collect?
We will collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, address, telephone numbers and personal email addresses
- Date of birth
- Gender
- Marital Status
- Nationality
- Next of kin and emergency contact information
- National Insurance number
- Bank account details, payroll records and tax status information
- Salary, annual leave, pension and benefits information
- Start date and, if different, the date of your continuous employment
- Leaving date and your reason for leaving
- Location of employment or workplace
- Copy of your driving licence (for ID purposes or if your role requires this)
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
- Employment records (including job titles, work history, working hours, holidays, training records and professional memberships)
- Compensation history
- Performance information
- Disciplinary and grievance information
- CCTV footage and other information obtained through electronic means such as swipe card records
- Information about your use of our information and communications systems
- Photographs
- Results of HMRC employment status check, details of your interest in and connection with the intermediary through which your services are supplied
- Information from fraud prevention agencies
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
- Information about your health, including any medical condition, health and sickness records, including:
- records relating to the decision to leave employment, where the reason for leaving is determined to be ill-health and where the records are also needed for pensions and permanent health insurance purposes;
- details of any absences (other than holidays) from work including time on statutory maternity or parental leave and sick leave; and
- occupational health records or where reasonable adjustments may be required.
- Genetic information and biometric data
- Information about criminal convictions and offences
Processing special categories of information requires a higher level of protection.
2. Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out obligations and provided we do so in line with our data protection policy.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment and initial employee vetting processes or we may be notified of such information directly by you in the course of you working for us.
We are allowed to use your personal information in this way to carry out our legal obligations for employee vetting requirements. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.
3. How we use your personal information
We can only use your personal information where it falls into one or more of the following categories:
- it is necessary to fulfil a contract we have with you;
- you have provided your consent;
- we have a legal or regulatory obligation to do so;
- it is necessary to carry out a task which is in the public interest;
- it is necessary to protect your vital interests; or
- it is in our legitimate interest to do so and it is not against your rights.
The table below sets out how we will use your personal information and under what lawful basis.
Reason for processing personal information
Lawful basis
- Making a decision about your recruitment or appointment
- Determining the terms on which you work for us
- Checking you are legally entitled to work for a UK company
- Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs)
- Providing you with relevant benefits offered during the course of employment
- Administering the contract we have entered into with you
- Business management and planning, including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about salary reviews and compensation
- Gathering evidence for a possible grievance or disciplinary hearing
- Making decisions about your continued employment or engagement
- Making arrangements for the termination of our working relationship
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Ascertaining your fitness to work
- Managing sickness absence
- Complying with health and safety obligations
- To prevent and detect fraud
- To monitor your use of our information and communication systems to ensure compliance with our IT policies
- Equal opportunities monitoring
This processing is required to enable you and us to enter into an employment or service contract and to fulfil the contractual obligations.
We also have a legal and regulatory obligation to carry out certain vetting checks prior to an employment position being offered/undertaken and during the course of your employment.
To allow us to comply with a legal or regulatory obligation, for example, health and safety obligations.
- Enrolling you in a pension arrangement
- Liaising with the trustees or managers of a pension arrangement operated by a group company, your pension provider and any other provider of employee benefits
We have a legal obligation to meet our statutory automatic enrolment duties and for any other pension administration requirements.
- Education, training and development requirements
- To conduct data analytics studies to review and better understand employee retention and attrition rates
Training will be provided to meet certain legal and regulatory obligations.
Training, development and analysis is also required to pursue our legitimate interest in developing our staff and business.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees).
4. How we use special categories of personal information
We will use special categories of personal information in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or family related absences, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
5. Who we may share your personal information with
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest or legal obligation to do so. This may include the following types of organisations:
- Recruitment Platforms that we use to manage and facilitate our recruitment processes
- IT Service Providers who provide technology platforms or other IT services.
- Banks and finance companies and insurers that process payroll, pension contributions and any other payments or deductions made before, during or after the termination of employment
- HMRC for tax purposes
- Child Support Agency, where required to do so for any investigations or Attachment of Earnings Orders
- Communication providers (e.g. telephone line providers and email and text service providers).
- Printers who print the letters and information packs which we may send to you.
- Third parties who may have introduced you to our company e.g. recruiters.
- Benefit Scheme providers who provide our employees with benefits during the course of their employment.
- External Agencies who may undertake employee vetting checks on our behalf
- Regulators, such as the Financial Conduct Authority
- Police, where there may be a criminal investigation or other police matter where it may be necessary to share your personal information
- TMG Limited - who provide intra-group services, for example legal support, payroll and facilities.
These organisations help us to provide our services to you and to assist us as an employer. We will have a contract in place with any provider who directly provides us with such services to ensure that they comply with their data protection obligations and ensure that they have appropriate security measures in place.
We may also share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to our regulators such as the Financial Conduct Authority or the Information Commissioner’s Office, assisting the police with any criminal investigations or other police matters, and disclosures to shareholders such as directors’ remuneration reporting requirements.
6. Automated Decision Making
An automated decision is one which we rely on a computer or system to assess the information you provide to us to make a decision about you. This may include:
- detecting any fraudulent activity which may be taking place, or there is a risk that it could take place
- checking identity and residency statuses
You will not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless we have a lawful basis for doing so and we have notified you.
7. Credit Reference Agencies
When you accept an offer of employment with Ocean Finance, and during the course of your employment, we carry out identity checks and financial probity check. We will share your personal information with Credit Reference Agencies (CRAs) and they will give us information about you. The data we may exchange can include:
- Name, address (including previous addresses) and date of birth
- Credit applications and details of any shared credit
- Financial situation and history
- Fraud prevention information
- Public information, from sources such as the Electoral Register and Companies House
This information will be used to verify your identity and assess your suitability to work within Financial Services.
For further information on how CRAs may use your personal information you can view the Credit Reference Agency Information Notice here or from the three main CRAs – TransUnion UK; Equifax; and Experian.
8. Using Fraud Prevention Agencies
General
- We will check your details against the Cifas databases established for the purposes of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff. “Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term. “Potential staff” means someone applying for employment with the company, whether directly or through a third party.
- The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other Relevant Conduct and to verify your identity.
- Details of the personal information that will be processed include: name, address, date of birth, and maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.
- We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.
- We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your employment with us.
- Cifas will hold your personal information for up to six years if you are considered to pose a fraud or Relevant Conduct risk.
Consequences of Processing
- Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your employment with us, your offer of employment may be rescinded or your existing employment may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).
Data Transfers
- A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please HR@ocean.co.uk
- Should Cifas decide to transfer your personal data outside of the UK they will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Your Rights
- Your personal data is protected by legal rights. Further information on your rights can be found in Section 11
- You also have the right to complain to the Information Commissioner’s Office which regulates the processing of personal data. Further information can be found in Section 14
9. International Transfers
We may share your personal information outside the UK where we have your consent; to comply with a legal obligation; or where we work with a business partner who provides services to us, and they process information outside of the UK.
If we do share your information outside of the UK, we will make sure that it is protected in the same way as if it was being used within the UK to ensure appropriate safeguards are in place. This may include putting in place a contract with the business partner that means they must protect the personal data to the same standards as it would within the UK (this may include defined model clauses), or only share the data to a business partner outside the UK or in a non-EEA country where the privacy laws provide the same protection as within the UK or the EEA and where appropriate technical and organisational measures are in place to ensure the data is protected and secure.
10. Security
We take the protection of personal information very seriously, and we will maintain appropriate measures to maintain the confidentiality, integrity and availability of the information you have provided. Such measures include:
- Company security policies and standards.
- Staff security awareness.
- Role-based access controls to prevent unauthorised access to the information.
- Encryption and anonymisation technology.
- Anti-malware technologies.
- Security monitoring.
- Security testing.
- Secure archiving and deletion.
- Compliance with industry regulation and legislation.
11. Your Rights
Access to your personal information
You have the right to request from us a copy of the personal information that we may hold about you. This is often called a “Data Subject Access Request”. You can request this information by contacting us as set out below.
Before providing this information to you or to another person or company where you have requested this personal information to be sent to, we may ask for proof of identity or ask sufficient questions to enable us to locate the information and ensure that we’re only providing it where you have given your agreement.
Right to have your personal information corrected
If the personal information we hold about you is incorrect, you have the right to request that we correct this.
Right to stop or limit the processing of the information we carry out
You may request that we stop processing the information if we’re no longer entitled to process it. There may be occasions where we are unable to delete the information due to our legal or regulatory obligations. We will, however, discuss this with you if you request for your information to be deleted.
Right to object to processing
You have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Right to request your personal information be deleted
In some circumstances you may request for us to delete or remove personal information where there is no good reason for us to continue to process it, for example, we have no legal or regulatory requirement to keep the information.
Right to transfer your personal information
In some cases, you may be able to request for your information to be provided to yourself or another party in a format that can be processed electronically by yourself or the other party. If you want to request this, you’ll need to contact us.
12. How long do we keep your personal information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
If you apply for a role but were either unsuccessful or decided not to take the position, in most cases your personal information will be retained for 6 months from when the application was made, unless you agree for us to keep this information for longer or request for your personal information to be deleted.
If you become an employee, worker or contractor of Intelligent Lending your personal information will be retained for at least six years, starting from the date your employment ceases. You can find more information on the retention and deletion of personal data in our Data Retention Standards which is available on the Intranet.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
13. Recording calls
We will record any telephone calls made to or from Intelligent Lending, which may include calls you make in the course of your employment. This is for training, monitoring and quality purposes and to meet our legal and regulatory obligations. Some telephone calls may be observed by staff for training and development purposes.
We may keep a copy of the telephone calls for at least six years from the date the telephone call was made.
14. Contact us
If you have any questions or queries about how we use your personal information you can contact us using the address or email below:
HR Department
Intelligent Lending Limited
Think Park
Mosley Road
Trafford Park
Manchester
M17 1FQ
Email: HR@ocean.co.uk
If you are not happy with how we process your personal information you should contact us. If you’re not happy with how we have dealt with your complaint, you have the right to make a complaint with the Information Commissioner’s Office. You can find their details on their website at https://ico.org.uk/.
15. Updates to this privacy policy
If we make any important or significant changes to the way we collect and use your personal information we will endeavour to notify you of this change as soon as reasonably practical.