What is your lawful basis for collecting my personal data?
Data protection legislation requires organisations to have a lawful basis for collecting and processing your personal data. We have set out below the six lawful bases that can be used and examples where we will commonly rely on each:
We typically use consent for our marketing activities and where we process special category data (for example health information you provide to us to make a reasonable adjustment to your exam).
When you register with us to receive a product or service, such as studying a qualification or attending an event, we will normally process your personal data on a contractual basis to fulfil the service or product you have requested.
We may rely on this basis where we are legally obliged or have a statutory obligation to process your personal data. This may include providing statistical information to regulatory agencies such as the Higher Education and Statistics Agency (HESA) and information for the prevention, detection or prosecution of crimes. We will only share your data where essential and we have clearly identified the source of the legal obligation.
We would only use this basis to process your data where we feel it is necessary to protect your life. For example, should you be taken ill whilst on our premises and are unable to give consent yourself, then we may share any health information we hold with the emergency services.
This basis would usually be used by public authorities to carry out public functions and powers set in law or tasks by organisation within the public interest. We would not expect to have to process your personal data on this basis.
We may rely on this basis where we determine we have a legitimate interest in processing your data. We would use this basis where we determine you would reasonably expect us to process your data in this way and it has minimal impact to your privacy. For example, we may determine that it is in our interests to communicate changes in regulatory requirements to previous customers, that you would reasonably expect this and that it has minimal impact to your privacy.
We may use legitimate interest for some of our marketing activities, particularly where you have recently made a transaction with us. Please refer to section 12 below on how to change your marketing preferences.
We may also rely on this basis to protect the integrity of our qualifications and prevent fraudulent activity including but not limited to student malpractice and centre maladministration.
When do you collect my personal data?
When you first contact us we create a record in your name and allocate you a unique ID number. Any information that you give us, or we generate, from then on is added to your record. We endeavour to ensure the accuracy of all records, but we rely on you to keep your personal data up to date, either online via myLIBF or by informing our Student and Customer Services team of any changes. You can contact them by email or by calling on +44 (0)12 2781 8609.
Information collected automatically
When you visit our websites we automatically collect anonymized data about your visit and securely store it using Google Analytics. We use this to improve user experience and navigation of our website, the services we offer you. The type of data we collect includes:
- session duration
- page views
- traffic source
- IP address, and
- actions taken (e.g. PDF downloads clicks, form submissions)
We have enabled data collection for Display and Search Remarketing. This includes data from Google’s signed-in users who have chosen to enable Google to associate their web and app browsing history with their Google account, and to use such information cookies provide to show personalised ads on sites across the internet based on someone’s past website visits.
Advertising Reporting Features
We have enabled Advertising Reporting features like Audience Demographics and Interests Reporting, DoubleClick Campaign Manager reporting, DoubleClick Bid Manager reporting, and Google Display Network Impression Reporting that help us better understand our users.
We use live chat software on our website, this is provided by Click4Assistance, a 3rd party UK based software company. Information regarding how the data is processed and stored can be viewedhere.
Register your interest
You may register your interest with us, typically via a form on our website, to receive more information about our qualifications and services. The information we send will be specific to the areas you’ve registered your interest in.
Online invigilation services
We provide online invigilation as a service via one of our two suppliers, BTL Group Limited or Pearson VUE. If we offer you an assessment through the online invigilation platform provided and if you choose to take such assessment through the platform, you agree that you are being monitored over the Internet through your computer via your webcam and microphone during your exam session. Online invigilation means that you will log on to a test platform through the Internet to take your assessment and you will be monitored, sometimes in real time, during your entire assessment session so that your face, voice, desk and workspace will be captured and a recording will be made of these for the purposes of assessment security and the integrity of the assessment process. It is your responsibility to ensure that only you will be recorded during an online invigilation testing session and that no one else will be physically in the room where you are testing and that no one speaks to you during your testing sessions.
If you use the online invigilation service to take assessments, we and our suppliers may also collect and record further information about you when you take the exam which is online invigilated, such as your name, email address, captured facial photo, captured ID photo/government issued ID, physical (visible) health data/condition (by virtue of video recording), racial/ethnic origin/religious beliefs (by virtue of video recording), IP address, browser agents, browser and operating system identifiers, screenshots of your PC, your exam setting (home, office etc), all recorded video streams (computer, webcam and mobile), name of the exam you are sitting and other assessment based data that may be collected, including information about browser version, appVersion, appName, product and appCodeName, video frame size, type and library used for encoding, framerate, jitter, packet loss and bandwith.
The video and audio recordings are standard test procedures for all awarding organisations’ online invigilated tests and your video and audio recording will only be used for purposes of identity verification, online observation, incident resolution such as fraud prevention, test security and for the integrity of the test and testing process.
All of the same personal data collected or received as described above applies for all LIBF online invigilated assessments. Prior to the start of your online invigilated test you may be required to take a picture of yourself. The collection of such data is optional, but necessary if you choose to use the online invigilation function. You understand that the audio and video-tapes of your testing sessions, as well as photos, will be supplied in certain circumstances to us, the awarding organisation, to assist with the test management of your test.
We will retain your personal data no longer than is necessary for the purposes for which it is processed. The length of time for which our suppliers and their subprocessors retain information may also depend on the specific retention periods set out by us, your awarding organisation, and applicable laws.
When you use the online invigilation service provided by BTL, they use selected third party service ProctorExam that is hosted in Germany (Frankfurt Region), to process your data on our behalf. As part of the provision of the service by BTL to us, your awarding organisation, you agree that some or all of the above personal data may be processed outside the UK and EEA. In such circumstances, and if you are based in the UK or EU, we will, as required by GDPR, ensure that your privacy rights are protected by appropriate safeguards.
When you use the remote invigilation service provided by Pearson VUE, personal data is stored and processed in the US. All data is transferred and held in compliance with applicable laws for transfer of EU candidate data to the US and pursuant to the Privacy Shield Framework.
As part of the online invigilation services you also agree to allow your personal data to be transferred by BTL or Pearson VUE to us, your awarding organisation, from whom you seek certification. We require your personal data so that tests can be correctly administered, and certification can be processed, granted and administered. For more information about how we, your awarding organisation, may collect and use your personal data we encourage you to review our full privacy notice.
What type of personal data do you collect?
We seek to only collect the personal data we require to respond to your request, deliver a product or service or meet a statutory reporting obligation. We have provided some typical examples below:
New customer enquiries:
When you contact us for the first time we may ask you to provide some basic personal data (e.g. name and contact information) to allow us to respond to your enquiry and send any links, forms, documents etc. A record will be created in your name under a unique ID number (an LIBF number) and your personal data stored securely.
Existing customer enquiries:
When you contact us again we may request information that will help us to establish your identity and prevent fraud. Once we have verified your identity, any further personal data you provide will be stored securely on your existing record.
Study and membership application/registration:
When you complete an application to study one of our programmes or become a member of The London Institute of Banking & Finance you will be asked to provide sufficient personal data to:
- Register you for a programme of study
- Allow distribution of study materials/correspondence
- Allow communication when required
- Confirm bank details and authorise to debit the account of the student
- Confirm your job title and employer (if applicable)
- Obtain statistics for future marketing campaigns (where did you hear about us etc.)
- Confirm that you meet any entry criteria (if applicable)
- Confirm that coursework assignments will be your own work (if applicable)
When you register online to attend an event managed by The London Institute of Banking & Finance you will be asked to provide sufficient personal data to:
- Identify you
- Register you for the event
- Communicate with you regarding the event
Special category data:
Special category data is data that is more sensitive and requires extra protection. This type of data includes: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. We only collect and process special category data where necessary and will always seek your consent to process it. We currently collect ethnicity data for students studying our HE programmes to comply with statutory reporting requirements. We may process health information which you choose to share with us to make reasonable adjustments to your assessment for a short or long term disability, or to give special consideration of extenuating circumstances, for example should you be unable to take an assessment for health reasons.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
How you use my personal data?
Depending on the product or service you have requested from us, we will use your personal data:
- To process your application/registration for the study of modules and qualifications. This may also require your personal information to be passed to a third party for the delivery of study materials, or the provision of teaching or examination facilities. We may also contact other institutions to confirm your qualifications.
- To process your application for a Statement of Professional Standing (SPS) or Certificate of Professional Achievement (CPA).
- To process any application you make for membership and to maintain that membership.
- To maintain our public Professional Services Register, a searchable register of current members and those who hold one or more of our professional services.
- To process and issue certificates and/or digital badges to eligible students and customers (please refer to section 9 for details of who we share data with for digital badges).
- To process any application for additional services, such as CPD, seminars or conferences.
- To process payments and undertake fraud prevention.
- To provide information about additional services and products that may be of interest to you.
- To undertake research in order to help us plan and improve our services.
- To provide information to government bodies, such as Ofqual, the FCA, the Student Loans Company (SLC) and Higher Education Statistics Agency (HESA), in accordance with statutory and government requirements.
Your course results may be:
- disclosed to your employer if your application included details of your employer
- disclosed to your provider of tuition
- published when you have completed the qualification. The information published may include your name, the name of your employer and details of your qualification.
We use a range of technical and organisational measures to protect your personal data. This includes:
- Training all staff on the principles of data protection and including terms within contracts and annual compliance checks.
- Secure processing of all transactions via our website.
- Applying secure storage and encryption methods to personal data held on our computer systems.
- Ensuring appropriate contracts are in place where we deliver our services with third parties and undertaking compliance audits where relevant.
- Industry standard security and encryption employed for the transfer of personal data between sites and third parties.
- CCTV used to monitor and record building entry and exit points, key card entry to office buildings and coded security access to server rooms.
- Monitoring our systems and undertaking annual penetration testing and monthly vulnerability scanning to identify and strengthen any vulnerabilities identified.
- Our IT Systems and Controls comply with the Cyber Essentials Certification.
How long will you keep my personal data?
We will only keep your personal data for as long as is necessary for the purpose it was collected. You can find some examples of this below:
Study records – we will keep personal data relating to your studies (academic record) permanently. This forms part of our core records and enables us to provide verification of any awards you achieve, issue replacement transcripts/certificates and meet any legal obligations including the prevention of fraud.
Reasonable Adjustments and Special Consideration – information you provide to request reasonable adjustments for a short or long term disability, or special consideration of extenuating circumstances will be kept for as long as required to support your studies and meet the requirements of our assessment boards.
Financial transactions – we are legally obliged to keep a record of all financial transactions for six years.
Who do you share my personal data with?
We will share your personal data with third parties where necessary to deliver our products and services. This includes:
- Couriers for delivery of study materials.
- Printing and scanning services for production and marking of assessment materials.
- Venues we use for the delivery of assessments to enable booking and identification of candidates.
- Venues and speakers we use for the delivery of events
- Government and other regulatory departments where we have a legal obligation or legitimate interest to do so
Where we share personal data with third parties we will;
- have an appropriate agreement specifying how the data may be used;
- ·only share as much information as is required to deliver the specified service;
- require they have suitable technical and organisational measures in place to protect your personal data, and;
- ensure your personal data is securely disposed of when it is no longer required to deliver the service or on termination of our agreement with the third party.
We will not share or sell your data to third parties to use for their own purpose. We do sometimes identify third party products or services that may be of interest to our customers and may share this ourselves with customers who have opted-in to receive this information (see ‘marketing preferences’).
Where is my personal data processed?
The majority of personal data we collect is processed within the UK and may be stored on servers within the EU. However, we have students and members throughout the world and the personal data of those students and members is necessarily transferred overseas when fulfilling their applications for study, membership or other services.
For customers undertaking exams with Pearson VUE, personal data is stored and processed in the US by Pearson VUE, who administer the delivery of electronic assessments in test centres on our behalf. All data is transferred and held in compliance with applicable laws for transfer of EU candidate data to the US and pursuant to the Privacy Shield Framework.
Under the General Data Protection Regulation you can exercise the following individual rights over your personal data:
To be informed how we will use your personal data
We will inform you of how we will use your data by short processing statements, typically provided at the point you request a product or service from us, and in more detail via this Privacy Notice. We will also endeavour to answer any further questions you may have on how we use your personal data.
To have access to your personal data
You can gain access to most personal data we hold for you by logging into your MyLIBF account. You can also gain access to any further information we may hold by submitting a Subject Access Request (SAR), which is free of charge in most cases.
To correct your personal data
You can request we correct any personal data for you which may be inaccurate, incomplete or out of date. You can amend most of your personal data by logging into your MyLIBF account.
To have your data deleted
You can request that we delete personal data that we hold for you. We will consider all requests for deletion and endeavour to fulfil the request where possible. We will not normally delete records of qualifications as this forms part of our core academic record and may be necessary to prevent fraudulent activity. We may also be legally obliged to retain some personal data for a specified period of time such as financial transactions and to meet statutory reporting requirements. We will highlight as far as possible the implications of deleting any personal data but may not be able to foresee all circumstances and the final decision to accept the deletion will need to be yours. We will hold a record to be able to confirm we have processed a deletion request.
To have your personal data provided in a portable format
You can request that we provide a copy of your personal data in a format that can be easily shared with another organisation. We will normally provide this in a .csv (comma-separated values) format, compressed within a .zip file, but will endeavour to meet any other requests.
To restrict the processing of your data
You can request that we restrict how we process your data. This may be used as an alternative to having data deleted, allowing us to store your personal data but not process it. This may affect the products or services we can provide to you and there may be some limitations where we have a legal obligation to still process.
To object to the processing of your personal data
You have the right to object to direct marketing at any time. You can do this by logging into your MyLIBF account and changing your preferences to opt-out or by clicking the link included at the bottom of all marketing emails we send. This will not affect transactional emails we send that are necessary for delivering any product or service.
To have your personal data amended or to object to direct marketing please login to your MyLIBF account or contact Student and Customer Services by calling +44 (0)12 2781 8609.
If we are unable to fulfil a request we will confirm this with you and provide an explanation.
How can I manage my marketing preferences?
You can change your preferences at any time by using the link at the bottom of all our marketing communications, logging into MyLIBF and changing subscription options under ‘My Details’ or, by contacting the Student & Customer Services team. This will only affect marketing communications and you will still receive transactional communications which are necessary to deliver the products and services you have requested.
Who is the regulator of data protection?
Should you be unhappy with the way we have used your personal data or how we have responded to a request, you have the right to complain to the Information Commissioner’s Office. You can find guidance and contact information by visiting www.ico.org.uk/concerns.
If you are based outside of the UK you may have the right to lodge a complaint with the data protection supervisory authority in your country of residence.
Who should I contact to exercise my rights or seek further information?
If you have any questions, require further guidance or would like to submit a rights request, you can contact our Data Protection Coordinator by;
- emailing firstname.lastname@example.org, or;
- writing to: Data Protection Coordinator, 4-9 Burgate Lane, Canterbury, Kent, CT1 2JX, United Kingdom
Third party web sites
Our websites contain links to other websites and this data protection statement does not apply to those websites. If you transfer to another website you should read their data protection statement for their policy on the use of personal information.
If you have any comments or questions regarding this statement, please contact the Data Protection Coordinator at:
Data Protection Coordinator
The London Institute of Banking & Finance
4 – 9 Burgate Lane