Compliance with US SOX Law, the UK Bribery Act and other relevant legislation

In this Privacy Policy, we have explained that your personal data may be used for the purpose of ensuring compliance with legal, regulatory and other good governance obligations and that it may be disclosed to BPP’s Parent Group Companies’ service providers or governmental or regulatory agencies. This includes for the purpose of enabling BPP’s Parent Group Companies to comply with the US Sarbanes–Oxley Act of 2002 (SOX Law), the US Foreign and Corrupt Practices Act 1977 (FCPA) and enabling BPP to comply with its obligations under the UK Bribery Act 2010 (Bribery Act) and any other local laws or regulations relating to similar purposes which relate to fraudulent, illegal or unethical behaviour (together this shall be the Conduct Legislation).

The purpose of SOX Law is to guard against unethical, improper or illegal business conduct including, for example, accounting and financial fraud, conflicts of interest and white collar crime. The purpose of the FCPA and the Bribery Act is to guard against bribery in business conduct.

BPP’s Parent Group Companies may appoint one or more service providers to assist them in managing a whistleblowing helpline and a webpage which acts as a reporting mechanism (Helpline) to ensure compliance with Conduct Legislation.

It is possible that a BPP employee, student or faculty teacher may report matters of concern through the Helpline and that your personal data may be used by BPP’s Parent Group Companies, its service provider(s) which manage the Helpline and by BPP for the purpose of investigating any such report and taking remedial action thereafter. For example, if a BPP employee suspects that another employee is misusing company records for his own purposes or is committing fraud involving your personal data, they may report this through the Helpline.

Should this happen, your personal data will only be used for the purpose of ensuring compliance by BPP’s Parent Group Companies with the relevant laws and regulations. Wherever reasonably possible, your personal data will be anonymised prior to use for the purpose of investigations and remedial action so that it does not relate to you. However, in some specific circumstances this may not be possible as it may prohibit a full investigation and prevent compliance with a relevant regulation or Conduct Legislation.

Any transfers to BPP’s Parent Group Companies and their service provider(s) which manage the Helpline and which may also be in the US or elsewhere in the world will be carried out in accordance with the Act. There will be contractual measures in place with those service providers to protect your personal data (please see the "Who do we share your personal data with?" section above) to ensure that, first, it is used only in accordance with BPP’s Parent Group Companies’ instructions (in particular, the instructions of the relevant BPP company) and for the purpose of investigating suspected compliance issues, and, secondly, that it keeps such personal data is kept secure. In addition, reasonable efforts are used to ensure that the website related to the Helpline and messages sent through that portal are secure and in particular, that they are encrypted.

A limited number of specially trained employees from BPP’s Parent Group Companies will only have access to your personal data which is disclosed through the Helpline where and to the extent that this is necessary for the purposes of carrying out their roles and for the purpose of compliance. In any event, their access will be limited, secure, controlled and justified as BPP considers is fair and necessary in the circumstances. These employees will be subject to appropriate confidentiality obligations.

We encourage our employees to use the Helpline in good faith and only for serious or substantial issues which cannot properly be reported via other means.

Provided reports are made through the Helpline in good faith, we try to protect the confidentiality of your identity as far as is reasonably possible. However, we cannot guarantee this (especially in subsequent court or tribunal proceedings) and we are required to inform the subject of the reports about the allegation(s). Those subjects have the right to request their own personal data, as do you, as set out in full in the Data Subject Access Request section of this Privacy Policy.