1. Purpose
1.1 Purpose
The purpose of the Data Protection Policy is to set out what the Bank needs to do as a minimum to comply with data protection legislation.
Personal data is defined as “Information identifying a Data Subject or information relating to a Data Subject that BBB can identify (directly or indirectly) from that data alone or in combination with other identifiers BBB possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data, but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour”.
This Policy forms part of the Operational Risk Management Framework and should be read in consultation with the associated standards and procedures that help set out what is expected of colleagues when handling personal data. The full list of definitions used in this Policy is available at Section 7.
1.2 Legal & Regulatory Obligations
The applicable laws include the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
In addition to meeting its legal obligations, the BBB as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards where applicable. Obligations relating to Government Functional Standard (GFS005) – Digital, Data and Technology and GFS007 – Security activity elements are contained and prescribed through this policy and associated standards.
1.3 Alignment to Risk Appetite
This Policy sits under the Level One Risk category, Operational Risk.
It aligns to the Level Two Risk Category, Data Management, which is defined as ‘The risk of failing to appropriately manage and maintain the organisation’s data. This encompasses core data (for example, delivery partner, SME, investment and employee data) and generated information and records.’
BBB’s Risk Appetite Data Management is Low-Medium.
The correct handling of personal data is vital to achieving BBB’s strategic objectives while complying with its legal and regulatory obligations.
2. Scope
This Policy applies to all BBB entities, operations and subsidiaries, and Colleagues. It also applies in part to third parties that are contracted to process personal data for or on our behalf, in particular where the third party is a data processor, or we have instructed a third party to carry out direct marketing on our behalf.
It does not form part of any employees’ contract of employment, and we may amend it at any time.
This Policy applies to all BBB Personal Data we process regardless of where the data is stored, its age, format, or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.
3. Requirements
3.1 Data Protection Principles
The data protection principles are key to data protection law and determine that Personal Data shall be:
- Processed fairly, transparently and lawfully
- Processed only for specified and not incompatible purposes
- Adequate, relevant and necessary for the purpose
- Accurate and, where necessary, kept up-to-date
- Not kept longer than necessary for the purpose
- Kept secure by technical/organisational means
The seventh principle requires the Controller [BBB] shall be responsible for, and be able to demonstrate compliance with, the above principles.
3.2 Accountability
To comply with the data protection principles, we
- Register the British Business Bank plc as a Data Controller (and any other of its entities that act as a Data Controller) with the Information Commissioner’s Office for inclusion on the Register of fee payers (registration No. ZA084015)
- Appoint a Data Protection Officer and register their name, contact details and address with the Information Commissioner’s Office
- Maintain a Record of Processing Activities to identify the business activities that process Personal Data as required by law (GDPR Article 30) and know what lawful basis applies to the data processing.
- Minimise the Personal Data we collect and challenge ourselves at the beginning of and during our business activities to ensure the Personal Data attributes are relevant, necessary and appropriate.
- Ensure the Personal Data we process is managed, so that it is accurate, meaningful and complete.
- Adopt privacy by design principles to avoid or remove excessive Personal Data from our processing using, where possible, aggregated, anonymised, or pseudonymised data or in the case of testing and training, fictitious data.
- Provide Data Subjects with a privacy statement or privacy notice when we collect their Personal Data to make clear what Personal Data we need and why and all the required information as set by law. Where a short privacy statement is used, it must include reference to the relevant privacy notice and how it can be accessed. Privacy notices and statements to be reviewed at least once a year to ensure they are accurate and up to date.
- Tell Data Subjects if we process their Personal Data that we have obtained from a third party and to do so within one month of us receiving the information unless one of the following exceptions apply: the Data Subjects already know, it would be a disproportionate effort, or disclosure is restricted by another law or regulation.
- Evidence the consent decisions from Data Subjects for the processing of their Personal Data to confirm what the Data Subjects consented to and when, that it was a real choice, easy to understand, freely given and an affirmative action (not vague, packaged, conditional, or an opt out). Consent can be withdrawn at any time and such decisions must be recorded.
- Maintain a suppression list of the names and contact details of any Data Subjects or business that has confirmed they do not wish to receive any direct marketing or any other communications about our market research, consultation or events. Such requests must be actioned promptly and in effect within one month.
-
Action requests from Data Subjects (or their representatives) exercising their data protection rights to:
- withdraw their consent;
- access the Personal Data we hold about them;
- be informed as to why we hold their Personal Data and what we do with it;
- have their Personal Data corrected, erased, restricted, transferred to another controller; or
- ask for a manual review of an automated decision that has a significant effect on them.
Such requests must be actioned promptly and completed within one month
- Complete a Data Protection Impact Assessment Screening Questionnaire as part of all business change, scheduled projects or business activities that involve new or significant changes to the way Personal Data is intended to be processed.
- Complete Data Privacy Impact Assessments for processing that has been identified as having high inherent risks to the privacy rights and freedoms of individuals to ensure the risks can be managed to an acceptable level or a decision made as to the appropriateness of the proposed processing.
- Share Personal Data where it is lawful and appropriate to do so. We aim to adhere to the Information Commissioner’s recommendations and ensure all regular sharing with third parties is covered under a written agreement or contract and keep a record of all ad hoc sharing so we know what personal data has been shared, when, why and with whom. If you receive a request to share or disclose Personal Data, please forward the request to the Data Protection Office at [email protected], so it can be logged, tracked and advice given before the sharing takes place.
- Register the restricted transfers of Personal Data to third countries and to carry out the appropriate data transfer risk assessments. Restricted transfers apply to the transfer of personal data to countries that do not have a data protection adequacy agreement with the UK, but also includes situations where a third party can access BBB data from countries that don’t have the UK adequacy agreement.
- Ensure contracts with third party suppliers and delivery partners are compliant with data protection and security requirements with appropriate due diligence, data processing clauses and agreements, risk assessments and audits to protect the Personal Data throughout the contract period and make appropriate provisions for the return, retention or disposal at the end of the contract.
- Ensure appropriate organisational and technical measures are in place, within the Bank and its third party contractors and delivery partners, to protect the Bank from Personal Data breaches that may result in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, and help ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services as well as the ability to restore Personal Data in a timely manner.
- Retain Personal Data for only as long as we need to and delete or destroy Personal Data in a timely and secure manner in line with the Bank’s Record Retention Schedule and / or the Record of Processing Activities.
- Mandate all Employees (and authorised users) complete the Bank’s data protection and information security training within one month of their start date and again as part of the annual training programme. The training content will be reviewed every year and updated accordingly.
- Report personal data breaches via the Bank’s Incident Portal to help determine if the Data Protection Officer must notify the Information Commissioner within the statutory timescale of 72 hours and / or the affected data subjects.
- Manage complaints about the handling of Personal Data in line with the Bank’s Complaints Handling procedure.
3.3 Record keeping
Data protection accountability relies on good record keeping, so that the Bank can evidence or reflect on its actions and decisions and demonstrate compliance with the law.
4. Roles and Responsibilities
4.1 All Colleagues
Data Protection is everyone’s responsibility. All colleagues are required to adhere to this policy to help comply with data protection law and to enable the Bank to meet its data protection obligations.
4.2 Data Owners
The Data Owner role is defined in the Data Management Policy and for the purpose of this Policy are responsible for the Personal Data within their respective business areas and ensuring its integrity, confidentiality and availability and overall protection.
4.3 Data Stewards
The Data Steward role is defined in the Data Management Policy and act on behalf of the Data Owners, and for the purpose of this Policy will take an active role in protecting Personal Data by contributing to the creation and maintenance of key records such as the Records of Processing Activity, Data Protection Impact Assessments, Data Sharing Agreements, and Privacy Notices.
4.4 Risk Champions
Risk Champions review the Business Area risks via the Risk Control Self-Assessment (RCSA) process to help identify and manage information risks, including data protection risks, to an acceptable level on behalf of the Data Owner.
4.5 Board Risk Committee (BRC)
The BRC is the approval body for this Policy and is responsible for its review and approval on a bi-annual basis or whenever major changes are submitted.
4.6 Executive Committee
The BRC has delegated responsibility to the Executive Committee to provide management oversight regarding the implementation of this Policy and to recommend necessary changes.
4.7 Chief Operating Officer
The Chief Operating Officer is the Policy owner and custodian for the development and endorsement of this Policy.
4.8 Data Protection Officer (DPO)
The Bank is required to appoint a DPO to help the Bank fulfil its data protection obligations by:
- Informing and advising on our data protection obligations
- Monitoring our compliance with data protection laws
- Raising awareness and providing data protection training
- Advising on Data Protection Impact Assessments (DPIA)
- Liaising with the Information Commissioner’s Office in relation to customer complaints
- Reporting any breaches of data protection law and regulations to the ICO
- Ensuring data protection risks are managed appropriately.
The DPO is not liable for the Bank’s compliance with its data protection obligations; the Bank remains accountable for complying with data protection obligations regardless of whether the DPO is an employee or a contracted third party.
The DPO is supported by a Data Protection Office which includes support from BBB colleagues as appropriate.
5. Non-Compliance
This Policy sets out what we expect from you to ensure BBB complies with applicable laws and regulations.
The Bank’s failure to comply with data protection law, either deliberately or accidentally, can have significant consequences to the data subjects whose data has been processed and to the organisations that processed the Personal Data. Data subjects have the right to receive compensation (GDPR Article 82) and the UK’s Supervisory Authority (Information Commissioner’s Office) has enforcement powers that include issuing monetary fines up to £17.5 million or 4% of an organisation’s annual turnover (GDPR Article 83) for infringements of certain provisions in the law, see Appendix A for details.
Compliance is mandatory and any breach may lead to disciplinary action, which could result in dismissal, and in some cases, individuals can be prosecuted, see Appendix B.
Operational Control and the Data Protection Officer will monitor compliance with this policy.
6. Aligned Standards and Procedures
Personal Data is processed in a large number of business activities and therefore features in the majority of business processes, policies, standards and procedures. The list below covers the main documents that will help colleagues comply with this Policy:
- Data Protection Impact Assessments Standard
- Data Protection Rights Standard
- Personal Data Sharing Standard
- Direct Marketing and PECR Standard (TBC)
- Data Management Policy (and accompanying standards)
- Supplier Management Policy, Procurement and Contracting Standards
- Records Management Policy (and accompanying Standard)
- Records Retention Schedule
- Risk Incident Review Reporting Procedure
- Disclosing Personal Data to Third Parties Procedure
- Information Classification and Handling Standard
- Pseudonymisation and Anonymisation Standard
- Information Security Policy
- IT Acceptable Use Policy
7. Policy Controls
The Policy controls are visible here: Data Protection Policy Controls - Power BI
8. Definition of Terms
Anonymisation
The process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified.
Automated Decision Making (ADM)
A decision based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met), but not Automated Processing.
Consent
Agreement, which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.
Controller
The person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. BBB are the Controller of all Personal Data relating to BBB Colleagues and Personal Data used in BBB business for BBB’s own commercial purposes.
Criminal Offence Data
Defined in Article 10 of the GDPR and section 11(2) of the DPA 2018 as Means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings. Collectively referred to as criminal offence data.
Data Availability
Means that authorised users can access the Personal Data when they need it for authorised purposes.
Data Confidentiality
Means that only people who have a need to know and are authorised to use the Personal Data can access it.
Data Integrity
Means that Personal Data is accurate and suitable for the purpose for which it is processed.
Data Privacy Impact Assessment (DPIA)
Tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
Data Protection Act 2018 (DPA)
The UK has implemented the DPA to give effect to and supplement the General Data Protection Regulation.
Data Subject
A living identified or identifiable individual about whom BBB holds Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
General Data Protection Regulation (GDPR)
GDPR ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR, see also UK GDPR.
Joint Controller
Multiple persons or organisations that determines when, why and how to process Personal Data. They are responsible for establishing practices and policies in line with the GDPR. BBB are the Controller of all Personal Data relating to BBB Colleagues and Personal Data used in BBB business for BBB’s own commercial purposes. A joint controller relationship may occur when personal data is used by another party e.g. SUL Finance Partners are a joint data controller with BBB
Overseas Processing and Adequacy Agreements
The Information Commissioner has deemed it safe to process personal data in the following countries: EU Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
EEA states: Iceland, Norway and Liechtenstein.
Adequacy arrangements: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay, Please note this list may change, so for the most up to date list see the ICO website at International data transfers | ICO.
Personal Data Breach
Any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or BBB third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design
Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Notices (also referred to as Fair Processing Notices)
Separate notices setting out information that may be provided to Data Subjects when the BBB collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.
Processing or Process
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Processor
A processor is an entity or individual that processes personal data in accordance with a data controller’s written instructions.
Pseudonymisation or Pseudonymised
Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Records of Processing Activity (ROPA)
This document details all activities where BBB processes personal data. This includes where the personal data comes from, the lawful basis for processing, who this data is shared with and where it is stored.
Special Category Personal Data (SC-PD)
Defined in Article 9(1) of the GDPR and section 35(8) of the DPA 2018 as information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data
UK GDPR
Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 retain the EU GDPR after the Brexit transition and create UK GDPR that will sit alongside an amended version of the Data Protection Act 2018. The key principles, rights and obligations will remain the same, but there are implications for the rules on transfers of personal data between the UK and the EEA
9. Further Information
For further information about data protection, see Data Protection Office (british-business-bank.co.uk).
If you have any data protection queries or concerns you can contact Operational Control at [email protected].
10. Version control
| Version | Author | Description | Approved by | Date approved | Date published |
|---|---|---|---|---|---|
| 0.1 | Content removed | Introduction of the policy | Board Risk Committee | 28/10/2024 | - |
| 1.0 | Content removed | Annual Review. Material changes to reflect GDPR requirements. | Board Risk Committee | 06/03/2019 | - |
| 1.1 | Content removed | Minor update to recognise outsourced DPO service to Chaucer Ltd | CRO | 07/02/2020 | - |
| 1.2 | Content removed | Annual Review and transfer to new policy template. Non-material changes. | Board Risk Committee | 09/09/2020 | - |
| 2.0 | Content removed | New policy template and update of requirements, related policies and roles and responsibilities | Board Risk Committee | 04/07/2022 | 07/07/2022 |
| 2.1 | Content removed | Change in policy ownership from 2LoD to 1LoD | COO/CRO | 15/12/2022 | 16/12/2022 |
| 2.2 | Content removed | In year amends to include wording on GFS, Policy Scope and taxonomy change. List of policies and definitions replaced by link to Intranet page. | DPO | 09/06/2023 | - |
| 2.3 | Content removed | Update to Section 1 to change ‘IRMF’ to ‘ORMF’, Section 4 correction of Policy Owner and Approver and Section 7 Policy Controls to align with updated template. | CRO | 22/12/2023 | 02/02/2024 |
11. Appendix A: Administrative Fines and Penalties
The GDPR can impose fines on companies for non-compliance at the lower and higher thresholds listed below. The Data Protection Act 2018 mirrors these thresholds and the UK Regulator, the Information Commissioner’s Office, can impose the relevant fines for non-compliance in relation to the handling of personal data in UK.
Lower Administrative Fine = a fine of up to £8.7 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Higher Administrative Fine = a fine of up to £17.5 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
| GDPR Article No. | Article Title | Administrative fine |
|---|---|---|
| 5 | Principles relating to personal data processing | Higher |
| 6 | Lawful Basis for Processing | Higher |
| 7 | Conditions for consent | Higher |
| 9 | Processing of special categories of personal data | Higher |
| 12 | Transparency and communication in relation to data subject rights | Higher |
| 13 | Providing information to data subjects when data is first collected | Higher |
| 14 | Providing information to data subjects when data is collected via third parties | Higher |
| 15 | Right of access by the data subject | Higher |
| 16 | Right to rectification | Higher |
| 17 | Right to erasure (“right to be forgotten") | Higher |
| 18 | Right to restriction of processing | Higher |
| 19 | Communicate rectification, erasure or restriction requirements to third party recipients | Higher |
| 20 | Right to data portability | Higher |
| 21 | Right to object | Higher |
| 22 | Automated individual decision-making, including profiling | Higher |
| 11 | Processing not requiring identification | Lower |
| 25 | Data protection by design and by default | Lower |
| 26 | Joint controllers | Lower |
| 28 | Processor | Lower |
| 29 | Processing under the authority of the controller or processor | Lower |
| 30 | Records of processing activities | Lower |
| 31 | Cooperation with the supervisory authority | Lower |
| 32 | Security of processing | Lower |
| 33 | Notification of a personal data breach to the supervisory authority | Lower |
| 34 | Communication of a personal data breach to the data subject | Lower |
| 35 | Data protection impact assessment | Lower |
| 36 | Prior consultation | Lower |
| 37 | Designation of the data protection officer | Lower |
| 38 | Position of the data protection officer | Lower |
| 39 | Tasks of the data protection officer | Lower |
| DPA 2018 Section No | Section Title | Penalty |
|---|---|---|
| 155 | Non-compliance with the Information Commissioner’s notices | Higher |
| 158 | Non-compliance to the Information Commissioner’s fees | Maximum of £4350 |
| 170 | Unlawful obtaining of personal data (e.g. without Controller consent) | Possible prosecution |
| 171 | Knowingly or recklessly re-identifying de-identified personal data | Possible prosecution |
| 173 | Alteration, etc. of personal data to prevent disclosure to a data subject | Possible prosecution |
12. Appendix B: Appropriate Policy Document for processing special category and criminal offence data
Introduction
The Data Protection Act 2018 (DPA 2018) outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) data under certain specified conditions.
If we rely on the substantial public interest condition in Article 9(2)(g) of the General Data Protection Regulation (GDPR) to process special category or criminal offence data, we also need to meet one of the 23 substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018, many of which require an APD.
The APD is intended to complement the Record of Processing Activity (GDPR Inventory) and
- describe what special category or criminal offence data is processed
- confirm what Schedule 1 conditions are used
- explain the procedures that are in place to comply with the data protection principles
- confirm what retention and erasure policies are in place
Description of the special category data and criminal offence data processed
The Bank processes Personal Data about businesses and companies, which includes sole traders, representatives and associates and directors, as well as Personal Data about our past, present and prospective delivery partners, suppliers, contractors, interns, employees and non-executive directors, complainants and requesters (for information).
The Personal Data processed depends on the business activity and our relationship with the data subject, but may include name, address, contact details, bank accounts, payment details, background checks, criminal offence data, racial and ethnicity data, sexual orientation, religious and philosophical beliefs, and health data.
Data Protection Act 2018 Schedule 1 condition for processing
The table below shows the Schedule 1 conditions that BBB rely on that require an Appropriate Policy Document to process special category data and criminal offence data:
| DPA 2018 Schedule 1 | Description of condition | Data likely to be processed | Processing Activities |
|---|---|---|---|
| 1. Employment, social security and social protection | Processing necessary in connection with the laws of employment, social security and social protection. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation |
Assess eligibility for services or benefits
Assess employee health and wellbeing
Equalities and equal opportunities |
| 6. Statutory and government purposes | Processing necessary for the exercise of a function conferred on a person by enactment or rule of law or the exercise of a function of the Crown, a Minister or a government department. | Health | Report and investigate accidents and incidents at the workplace |
| 7. Administration of justice and parliamentary purposes | Processing necessary for the administration of justice. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation; criminal offence | Prepare or conduct legal defence or proceedings |
| 8. Equality of opportunity or treatment | Processing necessary for identifying or keeping under review the existence or absence of equality or opportunity or treatment between groups of people with the view to enabling equality to be promoted or maintained at a group not individual level. | Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation | Comply with the Equality Act 2010 through customer or employee surveys, consultations, etc. |
| 10. Preventing or detecting unlawful acts | Processing necessary to prevent or detect an unlawful act or unlawful failure to act. | Criminal offence |
Investigate allegations or suspicions of misconduct Conduct Know Your Customer due diligence Conduct background verification on customers (e.g. Start Up Loan applications) Investigate allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations |
| 14. Preventing fraud | Processing carried out to protect public money and prevent and detect fraud. | Criminal offence | Investigate allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations |
| 15. Suspicion of terrorist financing or money laundering | Processing necessary for certain disclosures made under the Terrorism Act 2000 and Proceeds of Crime Act 2002. | Criminal offence | Disclosing information in relation to money laundering and terrorist financing |
Procedures for ensuring compliance with the principles
The Data Protection Policy sets out our approach to handling Personal Data, which also applies to our processing of special category data and criminal offence data, and how we intend to comply with the data protection principles of accountability, lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security).
Retention and erasure policies
The Records Retention Policy and accompanying Record Retention Schedule sets out our approach to the retention and disposal of Personal Data, which also covers special category data and criminal offence data.
Do you have a Freedom of Information Act (FOIA) request?
View our archive of previously answered Freedom of Information Act enquiries or use our contact us form to submit your own.