Notice

COVID-19 loan schemes: privacy notice

Updated 3 July 2023

This privacy notice is for anyone who has dealings with the Department for Business and Trade (DBT) in connection with a financial product provided under the COVID-19 loan schemes (including convertible loan products). It includes the following schemes delivered by the British Business Bank (BBB):

• Coronavirus Business Interruption Loan Scheme (CBILS)
• Coronavirus Large Business Interruption Loan Scheme (CLBILS)
• Bounce Back Loan Scheme (BBLS)
• Recovery Loan Scheme (RLS)
• Future Fund (FF)

DBT is committed to protecting the privacy and security of your personal information. This notice describes how we collect and use personal information about you in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

DBT is a data controller. This means that we are responsible for deciding how we hold and use personal information about you.

We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice, together with the British Business Bank privacy notice, other DBT privacy notices and the DBT Personal Information Charter, explains your rights, and the reasons we are using your information.

COVID-19 loan schemes: background

CBILS, CLBILS, BBLS and RLS

These COVID-19 loan schemes provide finance to businesses facing disruption because of the coronavirus pandemic. They are arranged in the following way:

• BBB accredits lenders and works with them to deliver the loan schemes
• accredited lenders process the loan applications and offer finance
• DBT owns the schemes and guarantees the loans

All 3 parties are data controllers for the personal data they process under the loan schemes.

Future Fund

The Future Fund is a government scheme, managed through an agreement between DBT and British Business Financial Services Limited (a wholly owned subsidiary of BBB), designed to support UK-based companies facing financing difficulties due to the coronavirus pandemic. They are arranged as follows:

• a lead investor initiates an application and is permitted to provide information on behalf of an investee company and other investors, provided the lead investor has obtained the consent of the others to do so
• the investee company provides and verifies information during the later stages of the application
• information about the lead investor and the other investors is used by the portal to conduct certain loan checks, to compile legal documentation for execution to the lead investor and the other investors
• once the application is accepted, UK FF Nominees Limited enters into a convertible loan agreement with the company and the other investors
• on the occurrence of certain conversion events as set out in the convertible loan agreement, the loan will convert into shares in the capital of the company

UK FF Nominees Limited is the legal titleholder to the Future Fund’s loans and any shares resulting from their conversion. It holds beneficial interest in the loans (and any shares resulting from their conversion) on bare trust for the benefit of DBT.

DBT and BBB are data controllers for the personal data they process under the loan schemes.

Data protection officer contact details

You can contact the DBT Data Protection Officer at:

Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY

Email: dataprotection@trade.gov.uk

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accurate and kept up to date.

5. Kept in a form that identifies you for only as long as necessary for the purposes we have told you about.

6. Kept securely.

7. Processed in accordance with the UK GDPR, and we must be able to demonstrate our compliance with the Accountability Principle.

The kind of information we hold about you

Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

• can be identified or who are identifiable, directly from the information in question
• who can be indirectly identified from that information in combination with other information

We receive data provided as part of loan and funding applications (‘loans data’) which includes:

• identity of loan applicant
• business type
• trading names
• personal names (sole trader and partnerships)
• company name and company number
• business address and postcodes
• details of loans (including amounts applied for)

As a large proportion of companies, sole traders and partnerships trade under an individual’s name, trading names, address, postcode may be considered personal data.

Future Fund applications may include personal data of related individuals, for example a lead investor on behalf of syndicate members or a chief financial officer acting on behalf of a business management team, solicitors, directors, shareholders, and so on. Personal data includes names, signatures, addresses, contact details, proof of identity, as well as financial information. It is expected that the information of any nominated business contacts and investor contacts is kept up to date throughout the term of the loan for the purposes of portfolio administration.

We also receive founder diversity and gender information about the companies that have obtained Future Fund investment in order to research take up of the scheme.

Through our role as a government department with responsibilities towards the loan schemes (including activity in relation to criminal enforcement and civil recovery of funds), we may hold data which includes:

• names, addresses, contact details, dates of birth, National Insurance numbers
• employment history
• location data
• online identifiers, including IP addresses, cookie identifiers from third party websites
• information relating to a person’s economic identity, including credit ratings, financial information and banking records
• an individual’s personal views and opinions, including recordings and transcriptions of interviews undertaken as part of an investigation

We may also hold special categories of more sensitive personal data which require a higher level of protection including:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data
• biometric data (where used for identification purposes such as fingerprints and facial recognition)
• data concerning health
• data concerning a person’s sex life and sexual orientation
• criminal records and allegations of criminal offences

How your personal information is collected

We collect personal information directly from you in circumstances such as:

• you have made a complaint or enquiry to us
• you have made an information request to us
• you are representing your organisation

We collect information including personal data from BBB where:

• an accredited lender has offered finance to a business under CBILS, CLBILS, BBLS or RLS; or
• UK FF Nominees Ltd has agreed to offer an unsecured convertible loan to company and enters into a convertible loan agreement;
• UK FF Nominees is a shareholder in a company as a result of the convertible loan agreement converting into equity in accordance with its terms

We also receive personal information indirectly, from the following third parties and/or in the following scenarios:

• we have seized personal information as part of an investigation
• from other public authorities, regulators or law enforcement bodies
• where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation in our role as a government department and/or guarantor of the scheme
• publicly available sources, including Companies House
• banks and other financial institutions
• credit reference agencies
• anti-fraud organisations
• other government departments and public authorities
• your agent or representative

How we use your information

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information where:

• we need to comply with a legal obligation
• it is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department
• it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences including fraud

In limited circumstances we will ask you for your consent to use your personal information, but your consent is not required if any of the above apply.

Situations in which we will use your personal information

We will also process your personal data in the following circumstances:

• when carrying out any of our lawful functions
• to check the data we hold about you is accurate and up to date
• to compare it against other information to help combat fraud and crime
• when investigating an offence, engaging with parties to the investigation, including evidence gathering, fulfilling disclosure obligations and discussions to agree appropriate outcomes
• for case management, including evidence analysis and storage in line with statutory obligations
• to prevent, detect or prosecute a crime
• to bring civil proceedings and/or debt recovery as loan guarantor
• to undertake statistical and analytical analysis
• to respond to questions sent to the department

We process the loans data received from BBB to:

• analyse and review the take up, impact, performance and costs of the loan schemes
• research the effectiveness of the loan schemes and support future policy development
• prevent and detect crime; including the use of fraud analytics to look for unknown or undetected criminal patterns and behaviour
• to take action to mitigate the risk of loss in relation to fraud against a public authority including:
  • preventing, detecting, investigating and prosecuting fraud
  • bringing civil proceedings as a result of fraud
  • taking administrative action in connection with fraud

How we use particularly sensitive personal information

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We will, if necessary, process special categories of personal information in the following circumstances:

• where we need to carry out our legal obligations and it is in line with our data protection policy
• where it is in line with our data protection policy, it is substantially in the public interest to do so and necessary for:
  • performing our functions as a government department
  • the prevention, investigation, detection or prosecution of criminal offences
  • preventing or detecting unlawful acts
  • preventing or detecting fraud
• where we have your explicit consent to do so - we do not require your explicit consent where any of the above apply

Read our Appropriate Policy Document to find out how DBT processes particularly sensitive personal information.

Information about criminal convictions

We will only use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to carry out our official functions.

We will only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate and where we are legally able to do so.

We are allowed to use your personal information in this way where it is in line with our data protection policy.

Read the DBT Appropriate Policy Document to find out how we process information about criminal convictions.

Lawful basis for processing

Legal basis for processing personal data for non-law enforcement purposes

Where DBT processes personal data for non-law enforcement purposes, the processing will fall under the UK GDPR and the Data Protection Act 2018 (DPA 2018). There are a number of requirements listed in the DPA 2018 to ensure this is lawful. Annex A provides a detailed explanation of how DBT achieves this.

Legal basis for processing personal data for law enforcement purposes

As part of our responsibilities under the COVID-19 loan schemes, DBT plays an enforcement role to protect the government guarantee to lenders in respect of loans provided to borrowers.

The processing will fall under Part 3 of the Data Protection Act 2018 as DBT processes data for the purpose of conducting criminal investigations and/or prosecutions. DBT is a competent authority for the purposes of the DPA 2018.

Where an investigation is of a civil nature or in relation to civil litigation, processing is subject to the UK GDPR. Processing in the context of a criminal investigation or proceedings will be subject to provisions of the DPA 2018.

Annex B provides a more detailed explanation of the legal basis for processing.

Data sharing

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example, we might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.

We may also share your information for the purposes of debt recovery in circumstances where we are obliged to pay out to accredited lenders as guarantor of the COVID-19 loan schemes. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the outstanding loan and associated interest. As a result DBT will share personal data with the litigation and recovery agents it instructs in order for them to identify assets and undertake recovery action through the courts.

Where required by law, information relating to individual COVID-19 loans (which may include amongst other details the identity of the borrowers and size of loan) will be shared with the European Commission under the State aid Temporary Framework and the approval for the ‘COVID-19 Temporary Framework for UK Authorities’. The European Commission will make this information publicly available in due course on its State Aid Transparency public search website.

Where required by law, information relating to individual COVID-19 loans (which may include amongst other details the identity of the borrowers and size of loan) will be shared on the UK’s public transparency database to enable compliance with the UK’s international subsidy reporting requirements with regards to the UK-EU Trade and Co-operation Agreement, World Trade Organisation Agreement on Subsidies and Countervailing Measures and other Free Trade Agreements.

We may share data with the Bank of England. This may be as part of their responsibility to regulate and supervise accredited lenders or in their official functions to gather, analyse and publish data, which inform their policy decisions and response to key economic events or crises.

We will, in some circumstances and where the law allows, share your data with third parties, including:

• British Business Bank
• other government departments
• public authorities (including local authorities)
• law enforcement agencies both in the UK and overseas
• regulatory bodies
• debt collection agencies
• credit reference agencies
• anti-fraud organisations
• banks (including accredited lenders)
• other financial institutions

When we may share your personal information with third parties

We will share your personal information with third parties where:

• required or allowed by law
• it is in the public interest to do so
• you authorise us to do so
• it is necessary for the performance of our functions as a government department or a function of the Crown, another government department or another public authority

This includes:

• our executive agencies, including the Insolvency Service and Companies House
• the Cabinet Office
• HM Revenue and Customs
• the Department of Work and Pensions
• the Home Office
• local authorities
• the security and intelligence services, for their functions
• courts and tribunals
• your agent or legal representative

Personal data shared with third parties may be disclosed onward to other third parties for specific purposes where there is a lawful basis and subject to DBT’s authority. For example, DWP may disclose information obtained from DBT to local authorities for certain social security, welfare and council tax purposes.

We will also share your personal information with the police and other law enforcement agencies where it is necessary to do so for the prevention, investigation, detection or prosecution of criminal offences, and other regulatory authorities when it is necessary for the purposes of their regulatory functions.

This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions or allegations.

Disclosure to a specified anti-fraud organisation - Serious Crime Act 2007

DBT may disclose information to a specified anti-fraud organisation (SAFO) for the purposes of preventing fraud.

Section 68 of the Serious Crime Act 2007 was introduced as part of the government’s commitment to preventing fraud. It enables public authorities to disclose information for the purposes of preventing fraud, as a member of a SAFO or otherwise in accordance with any arrangements made with such an organisation. A SAFO enables or facilitates the sharing of information for the prevention of fraud and is specified by an order made by the Secretary of State. Disclosures of information from a public authority to a SAFO are subject to a code of practice and this, along with a full list of SAFOs we may share information with, is available on GOV.UK: Data sharing for the prevention of fraud: code of practice. In addition, all disclosures must be made in accordance with data protection legislation.

Disclosure of information to combat fraud against the public sector

Section 56 of the Digital Economy Act 2017 enables public authorities to share information in order to take action in connection with fraud against a public authority. This type of information sharing helps us to improve our ability to identify and reduce the risk of fraud against the public sector and recover public sector funds.

Fraud in this context means a fraud offence which involves:

a) loss to a public authority, or
b) the exposure of a public authority to a risk of loss

Taking action includes:

• preventing
• detecting
• investigating and prosecuting fraud
• bringing civil proceedings
• taking administrative action as a result of fraud

Where DBT has entered into information sharing under this power, it has taken steps to ensure that information sharing proposals are balanced and proportionate and come under an appropriate level of scrutiny. This includes ensuring that such arrangements are set out in appropriate information sharing agreements.

We only use personal information shared under this power for the purpose for which it was disclosed, unless certain exceptions apply including:

a) if the information has already lawfully been made available to the public
b) the prevention or detection of crime
c) for the purposes of a criminal investigation
d) for the purposes of legal proceedings (whether civil or criminal)

DBT undertakes fraud analytics in respect of data from all loan applications (company name and registration number, trading name, post code and lender demand date) for the purpose of quantifying and/or identifying fraud and to look for potential fraudulent behaviour, patterns and trends. This activity is not limited to those applications where potentially fraudulent or suspicious activity has been identified.

As part of the fraud data analytics programme, we share loan data with the Cabinet Office (DBT data processor) to match it with other government data sets. The Cabinet Office shares this data with their sub-processor Quantexa Limited. Quantexa uses this data, along with data from various other sources, to support the Cabinet Office in delivering the fraud data analytics programme. The Cabinet Office remains liable to DBT (the controller) for their sub-processor’s compliance under the UK GDPR.

As part of the fraud data analytics programme, we share loan data with the Cabinet Office to match it with other government data sets. The results of this will be shared with DBT, the BBB, accredited lender(s) and other government bodies and law enforcement agencies as appropriate.

Data security

We have put in place measures to protect the security of your information.

Our third-party service providers will only process your personal information on our instructions or with our agreement, and where they have agreed to treat the information confidentially and to keep it secure.

We treat the security of your data very seriously. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.

Where possible the personal data is minimised, aggregated, or anonymised, for example in reporting performance, estimated losses and so on.

We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you.

In addition, we limit access to your personal information to those persons, or agents who have a business or legal need.

We have put in place procedures to deal with any suspected data security breach and will notify you and the regulator of a suspected breach where we are legally required to do so.

All organisations we work with are required to agree to move, process and destroy data securely i.e., in line with the principles set out in HM Government Security policy framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information.

Retention of your personal data

Personal data is retained in accordance with the DBT retention and disposal policy. We aim to retain your personal information for only as long as it is necessary for us to do so for the purposes for which we are using it and in line with our retention and disposal policy.

In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access: you have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification: you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing: you have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing: you have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

Your right to data portability: this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Your rights - law enforcement processing

If we are processing your information for law enforcement purposes, your rights are slightly different.

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

We will provide further information directly to data subjects in specific cases to enable them to exercise their rights. This might be in cases where we are processing your personal data that was collected without your knowledge.

We will not do this where doing so would be prejudicial to our investigation or for other reasons set out in section 44(4) of the Data Protection Act 2018.

International transfers

Your personal data will not be processed outside the UK and European Economic Area (EEA), or by an international organisation.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to this privacy notice

We keep our privacy notices under regular review. If there are any changes we will update this page to tell you, for example, about any new uses of personal data.

Check this page to make sure you are aware of what information we collect, how we use it and the circumstances we may share it with other organisations.

From time to time, we may also tell you in other ways about the processing of your personal data.

Annex A: Detailed explanation of the legal basis for processing – non-law enforcement purposes

Our lawful basis for processing loans data is UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, which in this case is in the exercise of a government function in the delivery of the COVID-19 loan schemes.

For the purposes of UK GDPR Article 6(3) the legal basis for the establishment and operation of the fraud data analytics program for the purposes of taking action in connection with fraud, is covered by Part 5, Chapter 4, section 56 of the Digital Economy Act (DEA) 2017. This provides powers for government departments / organisations to share information for the purposes of taking of action in connection with fraud against a public authority.

DBT also relies on the following legal bases under Article 6(1) of the UK GDPR (depending on the context of the data processing) where processing personal data for non-law enforcement purposes:

• 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
• 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual, particularly where the individual is a child

Where DBT relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of individuals and has concluded that they are not.

In addition, where the processing for any of the non-law enforcement purposes is sensitive processing, DBT processes data under the following article 9(2) conditions of the UK GDPR:

• where we have your explicit consent, this will be appropriately documented, and you will be able to ‘opt out’ at any time
• where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
• where processing is necessary for reasons of substantial public interest

In order for DBT to process special category data for reasons of substantial public interest, the processing must meet one of the conditions set out in Part 2, Schedule 1.

The condition(s) DBT relies on in Schedule 1 will depend on the context of the data processing concerned.

Archiving, research and statistics

In order for DBT to process special category data in reliance upon this Article 9 condition, the processing must meet one of the conditions set out in Part 1, Schedule 1. This applies where the DBT transfers material to the National Archives.

We also receive and may publish diversity and gender information about Future Fund companies that have obtained investment.

Read our Appropriate Policy Document to find out how DBT processes special category data.

Annex B - Detailed explanation of the legal basis for processing – law enforcement purposes

As a United Kingdom government department (Data Protection Act 2018, section 30 and Schedule 7(1)), DBT is a competent authority for the purpose of Part 3 of the DPA 2018 which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at s.31 DPA 2018 and are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security.

Our processing is either done because it is necessary for the performance of a task relating to one of these purposes (s.35(2)(b) DPA 2018) or with the consent of the individual (s.35(2)(a) DPA 2018).

We process personal data for the purposes of law enforcement in the following 3 areas:

• criminal investigations
• intelligence
• financial recovery

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes. Where this is the case, we rely on either the consent of the individual (s.32(4)) or, provided the processing is strictly necessary for the law enforcement purposes, on a condition set out in Schedule 8 of the DPA 2018 (s.35(5).

The relevant conditions in schedule 8 of the Data Protection Act 2018 are:

i. for statutory purposes where DBT is processing data through exercising powers under the Police and Criminal Evidence Act 1984 or Proceeds of Crime Act 2002 (to conduct cases that involve the proceeds of crime) or any other relevant law, and where case teams ensure processing is necessary for reasons of substantial public interest.

ii. for the administration of justice.

iii. for the safeguarding of children and of individuals at risk where the DBT is processing data of victims, witnesses or other individuals connected to investigations and prosecutions who are under 18 or are considered vulnerable or at risk. The DBT case teams will ensure that processing is necessary for DBT to effectively investigate offences and fulfil our statutory function, and handle consent in line with the Victims’ Code of Practice.

iv. personal data already in the public domain - this condition is met if the processing relates to personal data which is manifestly made public by the data subject.

v. preventing fraud – where it is necessary to prevent fraud, and

a) consists of—
i) the disclosure of personal data by a competent authority as a member of an anti-fraud organisation
ii) the disclosure of personal data by a competent authority in accordance with arrangements made by an anti-fraud organisation
iii) the processing of personal data disclosed as described in sub-paragraph (i) or (ii)

An ‘anti-fraud organisation’ has the same meaning as in section 68 of the Serious Crime Act 2007.

vi. Legal claims – where it is necessary for or in connection with legal proceedings or to obtain legal advice or to establish, exercise or defend legal rights.

vii. For Archiving purposes where data is contained within files that meet the criteria of ‘long term interest’ defined by the DBT Retention Schedule and will therefore be transferred to The National Archives (TNA) under the Public Records Act 1958. DBT will make decisions as to the archiving of data under the guidance of the Keeper of Public Records.

Read our Appropriate Policy Document to find out how DBT conducts sensitive processing.