The Chartered Banker Institute is a professional Institute incorporated under Royal Charter, which is registered as a charity in Scotland (number SC013927) and having its principal office at Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom.

This Privacy Notice explains the Institute’s approach to how we use and protect the information that you provide to us. The Institute must comply with the Data Protection Principles which are set out in the General Data Protection Regulations and the Data Protection Act 2018. 

Privacy Policy

Our commitment

The Institute is fully committed to handling personal data in accordance with the data protection legislation outlined above and following best practice. This means that your personal data will be:

  1. Processed lawfully, fairly, and in a transparent manner.
  2. Collected for specified, explicit and legitimate purposes.
  3. Only collected so far as required for our lawful purposes.
  4. As accurate and up to date as possible.
  5. Retained for a reasonable period of time, in accordance with retention policies.
  6. Processed in a manner which ensures an appropriate level of security.

Whether through this notice or otherwise, we hope to be as transparent as possible. We aim to ensure that you have an understanding of why the Institute processes personal data, how we process personal data, and the rights you may have as a data subject.

What personal data does the Institute collect?

The Institute collects personal data to fulfil our role as a professional body. As there are many different aspects to this role, the information requested and collected may vary.

From our members:
The personal data most commonly collected from Institute members and student members is as follows:

  • Name
  • Contact details (including home and business addresses, email, telephone number)
  • Date of birth
  • Employment details (including current and previous employers)
  • Information connected to education and training (including assessment data)
  • Records of learning and development activity (CPD records)
  • Attendance records for our courses and events
  • Information regarding investigation and disciplinary processes
  • Records of enquiries, meetings and other direct engagement
  • Copies of physical and electronic correspondence
  • Payment information (e.g. debit/credit card details for paying membership subscriptions)
  • FCA Registration Number
  • Assessment data (examination results, assignments results and experiential assessments)
  • Any special circumstances and reasonable adjustments.

From the public:
The personal data most commonly collected from members of the public is as follows:

  • Name
  • Contact details (including home and business addresses, email, telephone number)
  • Information regarding investigation and disciplinary processes
  • Records of enquiries, meetings and other direct engagement
  • Copies of physical and electronic correspondence

The Institute may collect information about the computer or device which is used to access online services provided by the Institute, for example We use this information to improve the user experience, and to help us better understand the ways in which our website is used. This may include information about:

  • The computer or device type
  • IP address
  • Operating system
  • Browser type and version
  • Time zone setting and browser plug-in types and versions.

This is statistical data about users browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.

Does the Institute process any special categories of personal data?

The Institute may collect special categories of personal data from Institute members and student members as is appropriate in our duty to fulfil our role as a professional body. The data we may collect is as follows:

  • Evidence of medical conditions where reasonable adjustments have been put in place for examinations and other assessments.
  • Any special dietary or access requirements, for example, if members are attending an event organised by the Institute. The member agrees that the Institute may use this information for the purposes of organising and running the event.

Why does the Institute need to process personal data?

The Institute will use and store the personal data we collect so that we can support, approve and develop in our role as a professional body. The personal data will also enable us to contact you concerning your queries regarding our services and functions.

This includes (but is not limited to):

  • Quality and training purposes.
  • Providing a wide range of member services.
  • Providing a wide range of training services.
  • Organisation and administration of events.
  • Awarding of qualifications upon completion.
  • Apprenticeship programmes.
  • Acknowledgment of special circumstances and reasonable adjustments.
  • Recognition of learning and development activity.
  • Provision of bespoke training services to employers.

We may also use your information to let you know about other services and products which we offer which may be of interest to you.

How does the Institute collect personal data?

Like most organisations that handle personal data, there are various ways in which the Institute collects personal data including:

  • Email and written correspondence
  • Telephone discussions
  • Visitors to the Institute website
  • Social media
  • Application forms and other information requests
  • From our members' employers (e.g. when a bank enrols its employees for one of our professional qualifications)
  • Direct contact at Drumsheugh House and elsewhere
  • OneDrive
  • Bulk enrolments received from corporate clients

In nearly all instances, it should be obvious to you that the Institute is collecting your personal data.

What is the lawful basis for the Institute’s processing activities?

The Institute will only process your personal data where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. Our legal basis for the processing of personal data is as follows:

Consent: you have given clear consent to the Institute to process your personal data

Contract: the processing is necessary for the fulfilment of a contract

Legal obligation: the processing is necessary for the Institute to comply with the law

Vital interests: the processing is necessary to protect your vital interests, including the protection of rights and freedoms

Public interests: the processing is within the official authority of the Institute and in the public interest

Legitimate interests: the processing is necessary for the Institute’s legitimate interests or legitimate interest of a third party, unless the processing is overridden by the vital interests, including rights and freedoms


By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

In circumstances where consent is required for the Institute to process personal data, it must be explicitly given. For sensitive personal data we will always tell you why and how the information will be used.

You may withdraw consent at any time by completing a Withdrawal of Consent Form available here:

GDPR_REC_4.6A - Withdrawal of Consent Form

Once the form has been completed and returned to the Institute, processing of the data is stopped in accordance to the relevant process.  

Does the Institute share personal data with third parties?

Some of the processing activities set out above require the Institute to share personal data with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.

In some circumstances the disclosure of Personal Data to third parties may involve the transfer of data outside of the European Economic Area (EEA) in accordance with the requirements of Data Protection Legislation. Such countries may not afford individuals the same level of protection as the European Union. Therefore, we will only transfer Personal Data outside of the EEA where we are satisfied that:

  • The non-European Union country has Data Protection laws similar to the laws in the European Union;
  • The recipient has agreed through contract to protect the information to the same Data Protection standards as the European Union;
  • We have obtained consent from relevant data subjects to the transfer; or
  • If transferred to the USA, the transfer will be to organisations that are part of the Privacy Shield.

The main third parties with whom the Institute shares personal data include (but are not limited to):

  • Members of Council, as well as members of the Boards and Committees, who assist us in fulfilling our role as a professional body.
  • Tutors, Examiners and Verifiers who assist us in fulfilling our role as an Awarding Body and also as a provider of Professional Education.
  • Financial Services and other Regulators and relevant statutory bodies (e.g. HMRC, SCQF, FCA).
  • Other professional bodies (on a ‘regulator-to-regulator’ basis).
  • Corporate customers.

Software providers which allow the Institute to operate efficient digital processes (including but not limited to):

  • ECom
  • Sage
  • Pixl8

Third party suppliers which allow the Institute to provide services to its members (including but not limited to):

  • Unicorn
  • PSI International
  • Knowledgepool
  • Turnitin
  • Command Publishing
  • Callibrand
  • GoodPractice
  • BPP
  • Redland Business Solutions

For practical reasons, this is an indicative, but not exhaustive list. This list will be kept under review.

For how long does the Institute retain personal data?

The periods for which the Institute retains personal data will depend on the purpose for which the data has been obtained. In general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes.

Please see our Retention Schedule for full details of the retention periods we adopt.

How does the Institute process cookie files?

Our website makes use of cookie files to distinguish you from other users of our site, and to provide you with a bespoke user experience tailored to your individual preferences. A cookie file (a small file of letters and numbers) will be placed on your computer or other access device each time you visit our site.

The Institute also uses analytical cookie files. These allow us to recognise and count the number of visitors to our site and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily. If you wish to delete any such cookie files, please refer to the instructions for your file management software to locate the file or directory that stores cookies.

You may refuse to accept cookie files when visiting our site, by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you choose this setting, you may not get an optimal web site experience and be unable to access certain parts of our site. 

Information on our cookie policy is available here.

Your rights where the Institute is processing your personal data

At any point while we are in possession of or processing personal data, you have the following rights:

  • Right of access to your personal data

You have the right to request a copy of the personal data that the Institute holds about you.

  • Right of rectification

The Institute wants to make sure that your personal data is accurate, complete, and up to date, and so you may ask the Institute to correct any personal data about you that you believe does not meet these standards.

  • Right to be forgotten

You have the right to ask the Institute to delete personal data about you, where:

  • You consider that the Institute no longer requires the personal data for the purposes for which it was obtained
  • The Institute is using the personal data with your consent and you have withdrawn your consent
  • You have validly objected to the Institute's use of your personal data
  • The Institute's use of your personal data is contrary to law or the Institute’s other legal obligations.
  • Right to restriction of processing

You have the right at any time to require the Institute to stop using your personal data for direct marketing purposes. In addition, where the Institute uses your personal data to perform tasks carried out in the public interest, or in exercising official authority vested in it then, if you ask us to, the Institute will stop using that personal data unless there are overriding legitimate grounds to continue.

  • Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal data. This right might apply, for example, where we are checking the accuracy of personal data we hold about you, or assessing the validity of any objection you have made to the Institute's use of your personal data. The right might also apply if the Institute no longer has a basis for using your personal data but you don't want the Institute to delete the data. Where this right is validly exercised, the Institute may only use the relevant personal data with your consent, for legal claims, or where there are other public interest grounds to do so.

  • Withdrawing consent to using your information

Where the Institute uses your personal information with your consent, you may withdraw that consent at any time, and the Institute will stop using your personal information for the purpose(s) for which consent was given.

If you wish to exercise any of these rights please contact the Institute using the contact information below. Any requests will be forwarded on to the Institute’s Data Protection Representative without undue delay. A record of the request will be kept for compliance purposes and confirmation will be sent once the request has been actioned. If any third parties are involved in the processing of the data, they will also be informed.


In the event that you wish to make a complaint about how your personal data is being processed by the Institute (or third parties as described above), or how your complaint has been handled, you have the right to lodge a complaint with the Institute or directly with the Information Commissioner’s Office (ICO).

The full complaints procedure is available here.

The details for each of these contacts are as follows:

Data Protection Representative
Chartered Banker Institute
38b Drumsheugh Gardens

Telephone: +44 (0)131 473 7781

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Changes to our privacy notice

The Institute will keep this notice under regular review and will place any updates on our website.  Paper copies of the privacy notice may also be obtained by emailing or in writing to our office at Chartered Banker Institute, Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom

This privacy statement was last updated on 30th September 2019.

Contact information and further advice

If you have any questions which are not covered in this notice, we suggest that you contact our Data Protection Representative. To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Representative. If you would prefer to submit your questions in writing, please write to our office at Chartered Banker Institute, Drumsheugh House, 38b Drumsheugh Gardens, Edinburgh EH3 7SW, United Kingdom, addressing your letter to the Data Protection Representative.

Approved by:

Simon Thompson
Chief Executive