Privacy Rule

For a number of the activities that we undertake to achieve our mission, we need to process personal data. This may include data that relates to our staff, to business contacts, to customers or staff of the firms we regulate, or to members of the public.

We recognise our privileged position in receiving this data. We committed to protecting the privacy of the individuals whose data we process, and to meeting its responsibilities to process personal data in a way that is consistent with the principles set out in data protection laws.

The information on this page in intended to describe at a high level:

  • the purposes for which we need to process personal data
  • the types of personal data that we process for those purposes; and
  • how we collect and use this data, and how we ensure, in doing so, that this meets the requirements set out in data protection laws.

Where we collect personal data directly from individuals, either through our website or elsewhere, we will provide a privacy notice that sets out in more detail how this information will be used.


When we share data

In some circumstances, we may need to share personal data with other organisations.  This will, in some circumstances, involve sharing special category or criminal personal data.  Situations in which we may need to disclose personal data to a third party include:

  • to other financial services regulators (for example, the Financial Conduct Authority) and other central banks as part of ongoing supervision or enforcement;
  • to external auditors during audits or similar exercises;
  • to past or future employers, as part of reference checks for staff;
  • to law enforcement agencies or the courts, where this is necessary for crime prevention or detection (including the provision of CCTV footage)

We will only share personal data with others when we are legally permitted to do so.


Retention of personal data

We retain personal data for as long as is required for the purposes for which we collect it, and other purposes that are not incompatible with this. When determining retention periods, we will have reference to, amongst other things, whether we need to keep this for statutory or audit purposes. Details of the retention periods for different types of personal information are set out in the Bank’s Records Classification Scheme. Where possible, we will seek to anonymise personal information so that it can no longer be associated with the individual. When we have identified this is no longer required, we have measures in place to securely dispose of personal data.


Individuals’ information rights

You have a number of rights under data protection laws in relation to data held about you.  For example, under certain circumstances, by law you have the right to:

  • Request access to your personal information (sometimes known as a ‘subject access request’). This enables you to receive a copy of the personal information we hold about you.
  • Request correction of the personal information that we hold about you. This enables you to ask us to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

The rights set out above are not absolute and are subject to a number of important exemptions and limitations that mean we don’t always need to comply with your request.