Bamboo Fair Processing Notice
1. Introduction
Bamboo Limited (the ‘Company’, ‘Bamboo’, ‘we’, ‘our’, or ‘us’) holds and processes data on all current and former employees, individual contractors, applicants, interview candidates, interns, agency workers, consultants, directors, (‘the employee’, ‘the candidate’, ‘you’ or ‘your’), and third parties whose information you provide to us in connection with such relationships, (“employment”) e.g. next-of-kin, emergency contact information and/or dependents. This notice explains how the Company collects, uses and shares personal and sensitive (where appropriate) information in the course of the whole employment life cycle, from recruitment to when the employment ends, and wherever applicable, after employment. This notice is effective from September 2018. The company reserves the right to change this notice from time to time to keep it up to date with legal requirements, guidance from the Information Commissioner’s Office and the way we operate our business. The Company will notify the employees when a change is made. If you have any questions regarding the processing of your personal information or if you believe your privacy rights have been violated, please contact People & Culture. If you are aware of an unauthorised disclosure of data, please also refer this to People & Culture for guidance as to the applicable reporting requirements. We take your data protection rights and our legal obligations seriously. Your personal information will be treated in a secure and confidential manner as set out below.
2. Scope
This Fair Processing Notice sets forth the principles under which Bamboo manages the processing of Personal and Sensitive Data that it receives from its employees, in support of its People & Culture operations. The following describes the categories of personal information we may process, how your personal information may be processed and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about Bamboo's processing of your personal information under privacy laws. It does not form part of your contract of employment or other engagement.
3. Data collection
Bamboo collects and records your personal information from a variety of sources, but mainly directly from you. You will usually provide this information directly to your managers, People & Culture , or enter it into our systems (for example information sent via email, input into our software etc.). In addition, further information about you will come from your managers or People & Culture team.
We may also obtain some information from third parties, for example, references from a previous employer, medical reports from external professionals, tax authorities, benefit providers or from a third party to carry out a background check or credit reference agency or Cifas (where permitted by applicable law).
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by Bamboo or a third-party provider of the relevant service. This type of data is generally not accessed on a routine basis, but access is possible. Access may occur, for instance, in situations where Bamboo is investigating possible violations of Bamboo policies such as improper Internet usage, conduct or office attendance.
Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. Failure to provide any mandatory information will mean that we cannot carry out certain People & Culture processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases, it may mean that we are unable to continue with your employment or engagement as Bamboo will not have the personal information we believe to be necessary for the effective and efficient administration and management of our relationship with you.
Apart from personal information relating to yourself, you may also provide Bamboo with personal information of third parties, notably your dependents and other family members, for purposes of People & Culture administration and management, including the administration of benefits and to contact your next-of-kin in an emergency. Before you provide such third-party personal information to Bamboo you must first inform these third parties of any such data which you intend to provide to Bamboo and of the processing to be carried out by Bamboo, as detailed in this Fair Processing Notice.
4. Processing of personal information
Personal Information during your employment
Bamboo collects and processes your personal information for the purposes described in this Fair Processing Notice. Personal information means any information describing or relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Some of the personal data collected and processed will vary depending on the employee’s position and role.
- Employee related data: your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, gender, civil/marital status, date of birth, age, home contact details (e.g. address, telephone number, e-mail), National Insurance number, national ID number, immigration and eligibility to work data (where applicable), languages spoken; next-of-kin/emergency contact details and dependent contact information;
- Data related to your engagement with Bamboo: work contact details (e.g. address, telephone number, e-mail), work location, default hours, your worker ID and various system IDs, your performance review information, your CV, exit interviews, references, the reason for any change in job and date of change. In addition, data such as your reporting line, your employment type, your hire/contract start and end dates, your job title and job description, your working hours and patterns, whether you are full or part time, your employment end date, the reason for leaving, your last day of work, status (active/inactive/terminated), position title. Such additional data would be regarded as personal data if it has been used in conjunction with another piece of information that could identify the individual such as name or date of birth. Such data used as standalone information would bot be perceived as personal data;
- Recruitment data: qualifications, references, CV, interview notes, any relevant educational certification, any relevant background checks undertaken prior to the hire taking place (and sometimes after).
Background checks
Offer of employment and continuous employment is subject to a satisfactory background checks and each check will be reviewed on a case by case basis. The type of background check will vary depending on the employee’s position and role. We undertake background checks as follows:
- Employment references will be taken after the employment commences and a Cifas (credit) check will be conducted in the first two weeks of employment. Thereafter an annual Cifas check will be performed on each employee.
- For certain positions and roles we would conduct more comprehensive background check, involving a third party called HireRight, usually this would take place prior to the employment taking place, where possible. The checks would include:
Activity History: 5 Years
Academic verification
Address verification
Credit check
Employment verification
Global watchlist check ID document verification
International criminal record search
Professional qualifications verification
UK regional criminal record check – eBasic Disclosure
We would advise the employee prior to such check taking place and seek their consent to share their email address with HireRight. Afterwards, the candidate will need to provide initial information to HireRight to commence such checks.
- As Bamboo is regulated by Financial Conduct Authority it will need to be compliant with the new rules, Senior Manager and Certification Regime (SM&CR), which means approved Senior Managers and Certified Functions, will need to be vetted more thoroughly in order to perform the function. For the list of what checks would be performed, please liaise with People & Culture.
The data is collated by HireRight and the results shared with Bamboo. We do not keep records of the results and HireRight deletes the results after six months after the completion of each individual check. Bamboo will only record the date when the check was completed for record keeping purposes.
Cifas Checks
Cifas is a fraud prevention service in the United Kingdom. Your personal information will also be used to verify your identity with Cifas. Cifas will use it prevent fraud, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct. If any of these are detected, the affected employee could be refused certain services and/or employment within financial services sector.
Other Employment Data
During your time at Bamboo, we will also process some other additional information relating to you, such as:
- Regulatory data: records of your registration with any applicable regulatory authority, your regulated status and any regulatory references;
- Remuneration and benefits data: your remuneration information (including salary, commission, statutory payments, bonuses, allowances), bank account details, grade, National Insurance number, tax code, tax information, third party benefits recipient information, pension information (level of contributions and payments made);
- Absence information: absence records (including dates, categories of leave/time-off, categories and any relevant comments), holiday dates, information related to family leave (including any relevant paperwork like Fit Notes or MATB1 etc), and any other type of leave including but not limited to jury service, military reserve related etc.;
- People & Culture processes data: allegations, investigations and proceeding records and outcomes, colleague and manager feedback, appraisals/performance reviews, formal and informal performance management processes, flexible working arrangements, restructuring plans, consultation records, selection and redeployment data, risk assessments, incident reports, data relating to training and development needs or training received, any relevant communication associated with the change or amendments to contract of employment, beneficiary details (for life assurance benefit) and for some employees’ family and dependant details (name, date of birth and address), where applicable;
- Monitoring data (to the extent permitted by applicable laws): system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programmes and filters; and
- Employee claims, complaints and disclosures data - termination arrangements and payments, subject matter of employment-based litigation and complaints, employee involvement in incident reporting and disclosures. Certain additional information may be collected where this is necessary and permitted by local applicable laws.
5. Special categories of personal information
To the extent permitted by applicable laws, Bamboo may also collect and process a limited amount of personal information falling into special categories, sometimes called “sensitive personal data”. This term includes information relating to such matters as racial or ethnic origin, religious beliefs, physical or mental health (including details of accommodations or adjustments), certain maternity/adoption information, trade union membership, sexual orientation, information regarding sexual life, biometric data, genetic data, criminal records and information regarding criminal offences or proceedings.
6. Purpose and lawful basis for data processing
Your personal information is collected and processed for various business purposes, in accordance with applicable laws Data may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g., in investigations or disciplinary proceedings). We may collect and process your personal information for various purposes, as set out in this Fair Processing Notice.
Where applicable data protection laws require us to process your personal information on the basis of a specific lawful justification, we generally process your personal information under one of the following bases:
- the processing is necessary for the legitimate interests pursued by Bamboo (being those purposes described in the section above), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information;
- the processing is necessary for compliance with a legal obligation to which Bamboo is subject; or
- the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract.
We may on occasion process your personal information for the purpose of the legitimate interests pursued by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information.
We have identified a variety of reasons for the processing personal information. These purposes each relate to a lawful basis for processing, as required under applicable law. These purposes can include:
- Recruitment and selection;
- Appropriate vetting for recruitment and team allocation including, where relevant and appropriate credit checks, right to work verification, identity fraud checks, criminal record checks (if and to the extent permitted by applicable laws), relevant employment history, relevant regulatory status and professional qualifications;
- Providing and administering remuneration, benefits and incentive schemes and reimbursement of business costs and expenses and making appropriate tax and national insurance deductions and contributions;
- Allocating and managing duties and responsibilities and the business activities to which they relate, including business travel;
- Identifying and communicating effectively with staff.
The list is not exhaustive, and any additional information regarding specific processing of personal information may be needed. In that situation you will be notified accordingly. If you would like to find out more about the legal basis by which we process personal information please contact People & Culture.
Legal bases for processing special categories of personal information or sensitive data
The sensitive or special categories of personal information that may be processed by Bamboo are set out in this Fair Processing Notice.
Where applicable data protection laws require us to process such special categories of personal information on the basis of a specific lawful justification, we process the same under one of the following bases:
- the processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or Bamboo in the field of employment law, social security and social protection law, to the extent permissible under applicable laws;
- the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, to the extent permitted by applicable laws;
- the processing is necessary to protect your vital interests or of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency); or
- the processing is necessary for the establishment, exercise or defence of legal claims.
We may seek your consent to certain processing which is not otherwise justified under one of the above bases. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from Bamboo.
Processing data relating to criminal convictions and offences
Personal information relating to criminal convictions and offences will only be processed where authorised by applicable laws.
For example:
- a criminal record check may be carried out on recruitment where authorised by applicable laws (see clause 4.1); or
- an allegation of a criminal offence or conviction arising during your relationship with Bamboo may be processed where required or authorised. For example, where we have a legal or regulatory requirement to report an offence or applicable laws authorise Bamboo to process information about the offence for the purpose of making decisions regarding your relationship with Bamboo.
7. Retention of personal information
Bamboo endeavours to ensure that personal information is kept as current as possible and that irrelevant or excessive data are deleted or made anonymous as soon as reasonably practicable. However, some personal information may be retained for varying time periods in order to comply with legal and regulatory obligations and for other legitimate business reasons.
We will generally retain your personal information only so long as it is required for purposes for which it was collected. This will usually be the period of your employment/contract with us plus the length of any applicable statutory limitation period following your departure, although some data, such as pension information, may need to be kept for longer. We may keep some specific types of data, for example, tax records, for different periods of time, as required by applicable law. Data concerning disciplinary proceedings in regard to SM&CRs Conduct Rules will be kept indefinitely.
8. Access to data
Within Bamboo, your personal information can be accessed by or may be disclosed internally on a need-to-know basis to:
- People & Culture, including managers and team members;
- management responsible for managing or making decisions in connection with your relationship with Bamboo or when involved in a People & Culture process concerning your relationship with Bamboo;
- system administrators; and
- where necessary for the performance of specific tasks or system maintenance by staff in Bamboo teams such as the Finance and IT team.
Your personal information may also be accessed by third parties whom we work together with for providing us with services, such as hosting, supporting and maintaining the framework of our People & Culture information systems.
Personal information may also be shared with certain interconnecting systems such as recruitment systems and local payroll and benefits systems. Data contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors.
We undertake routine due diligence on all such third parties to consider appropriateness of sharing personal information with them.
Examples of third parties with whom your data will be shared include tax authorities, regulatory authorities, Bamboo's insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors, payroll providers, and administrators of Bamboo's benefits programs. Bamboo expects such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security. Where these third parties act as a "data processor" (for example, a payroll provider), they carry out their tasks on our behalf and upon our instructions for the above mentioned purposes. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services. In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
9. Security of data
Bamboo uses a variety of technical and organisational methods to secure your personal information in accordance with applicable laws.
Bamboo is committed to protecting the security of the personal information you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk. We limit the number of hard copies, and any that have not been destroyed are stored away in a lockable drawer, and electronic copies are kept securely on cloud based systems with limited authorised access. Any electronic files are password protected and/or encrypted when shared online.
If you are in possession of personal information of any kind (e.g data collected in emails, address books, Excel spreadsheets or contained in curricula vitae or elsewhere) you must ensure that the data are kept in a safe place where unauthorised access cannot occur. Where data is retained in hard copy, storage in a locked drawer or cabinet, accessible only to authorised individuals, is generally the most effective means of securing the data. Where data is kept in electronic form, appropriate password protection and appropriately secured arears should be used. Such personal information may only be used for Company purposes.
10. Transfer of personal information
From time to time your personal information (including special categories of personal information) will be transferred to associated companies of Bamboo or third parties (as described above) to process for the purposes described in this Fair Processing Notice. These companies may be located within the European Union and elsewhere in the world.
As a result, your personal information may be transferred to countries outside of the country in which you work to countries whose data protection laws may be less stringent than yours.
Bamboo will ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangement are in place to protect your privacy rights. Where required by applicable data protection laws, Bamboo has ensured that service providers (including other Bamboo associated companies) sign standard contractual clauses as approved by the European Commission or other supervisory authority with jurisdiction over the relevant Bamboo exporter, for example like the EU-USA Privacy Shield for the protection of personal information transferred from within the EU to the United States
11. Your rights
Right to access, correct and delete your personal information
Bamboo aims to ensure that all personal information is correct. You also have a responsibility to ensure that changes in personal circumstances (for example, change of address and bank accounts) are notified to Bamboo so that we can ensure that your data is up-to-date.
You have the right to request access to any of your personal information that Bamboo may hold, and to request correction of any inaccurate data relating to you. You furthermore have the right to request deletion of any irrelevant data we hold about you.
Data portability
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to Bamboo in a structured, commonly used and machinereadable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to restriction of processing
You have the right to restrict our processing of your personal information where:
- you contest the accuracy of the personal information until we have taken sufficient steps to correct or verify its accuracy;
- where the processing is unlawful but you do not want us to erase the data;
- where we no longer need the personal information for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether Bamboo has compelling legitimate grounds to continue processing.
Where personal information is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defense of legal claims.
Right to withdraw consent
Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant data from the relevant People & Culture system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our data retention policy) and by (ii) contacting People & Culture.
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal information infringes applicable law.
For further information regarding your rights, or to exercise any of your rights, please contact People & Culture.
Additional Fair Processing Notices
We may undertake certain processing of personal information which are subject to additional Fair Processing Notices and we shall bring these to your attention if they apply.
Notice of changes
Bamboo may change or update this Fair Processing Notice at any time.
Should we change our approach to data protection, you will be informed of these changes or made aware that we have updated the Fair Processing Notice so that you know which information we process and how we use this information. This Fair Processing Notice was last updated and reviewed in June 2021.