Personal data and mutuals registration

We explain how and why we use personal data that is collected for mutuals registration, including Mutuals Public Register, Mutuals Society Portal, and other application forms. 

We, the Financial Conduct Authority (the FCA), are the controller of the personal data that we collect. This means that we are responsible for deciding how we collect and use personal data.  

We are the registering authority for mutual societies. This role is distinct from our other responsibilities under the Financial Services and Markets Act 2000 (FSMA). As part of this role, we maintain the Mutuals Public Register as the public record of registered mutual societies which consists of building societies, credit unions, friendly societies and registered societies (including co-operative societies and community benefit societies).  

We are responsible for registering mutual societies that are registered under ‘mutuals legislation’: 

  • Co-operative and Community Benefit Societies Act 2014 (previously the Industrial and Provident Societies Act 1965) 
  • Co-operative and Community Benefit Societies Act (Northern Ireland) 1969 
  • Credit Unions Act 1979 
  • The Credit Unions (Northern Ireland) Order 1985 
  • Friendly Societies Act 1974 
  • Friendly Societies Act 1992 
  • Building Societies Act 1986 

We are required to maintain arrangements designed to enable us to determine whether persons are complying with mutuals legislation (The Financial Services Act 2012 (Mutuals Order) 2013).  

Although our statutory objectives of consumer protection, maintaining market integrity and supporting competition (FSMA) do not apply to our mutuals registration function, we deliver it to maintain public confidence in the different forms that mutual societies can take. More information on our role can be found here.   

We maintain the Mutuals Public Register. It contains details including a societies’ name, registration number, registered offices and public documents such as annual returns and accounts and rule amendments. Some documents, such as annual returns and accounts contain personal data related to individuals involved in societies. 

The Mutuals Public Register also includes information about mutual societies inherited from our predecessors, the Financial Services Authority, the Registry of Friendly Societies, and – for Northern Ireland, the Department for the Economy. Some of this information is subject to the Public Records Act 1958 or Public Records Act (Northern Ireland) 1923.

The personal data we collect and use

We collect many different types of personal data during our work. Where it is optional for individuals to provide their personal data, we will indicate this clearly as optional fields and where data is anonymised and/or only collected for statistical analysis purposes.   

To undertake our work as registering authority, we are often required to collect a wide range of information on mutual societies and those involved in running them. This includes collecting personal data on: 

  • Members of the Committee of Management of societies (usually detailed in the annual return form and accounts) 
  • Founding members of societies (usually detailed in the New Registration application form)  
  • Trustees of friendly societies (usually detailed in the Appointment and Cessation of trustee documents)  
  • Chief Executives and Secretaries of building societies and incorporated friendly societies (usually detailed in Appointment and Cessation of Chief Executive/Secretary forms).

We also collect personal data to facilitate the voluntary registration and use of the Mutuals Society Portal, for those involved in running societies. Individuals provide their name and an email address, along with answers to security questions, to gain an account on the Mutuals Society Portal.  

The Mutuals Public Register does not automatically capture or store personal data from users. The Mutuals Society Portal and the Mutuals Public Register log your IP address and session information such as how long your visit lasted, the pages visited, and the type of browser used.

This is recognised by the web server and is only used for system administration and to provide statistics, which we use to evaluate how the site is used. Please see the Cookie Notices on the Mutuals Society Portal and Mutuals Public Register to find out more about the cookies we use, when they are set, what they’re for and when they expire. 

How we collect this personal data

Most of the personal data is collected from societies through forms found on Mutual Society Forms or submitted through the Mutuals Society Portal. Occasionally we also make specific ad hoc information requests societies by other means, such as by using our power to inspect the register of members of a society. 

Most of the information on the Mutuals Public Register is about the society itself, such as its rules, address, name, and annual returns and accounts. Some personal data – such as on the names and months and years of birth of secretaries and Committee of Management are also collected and stored as part of the annual return form. 

Why we use this personal data

For some of the personal data we obtain, societies are obliged by mutuals legislation to submit it to us, and we are obliged to make that information available to the public. This includes: 

  • Appointment and cessation of trustees for societies registered under the Friendly Societies Act 1974 
  • Appointment and cessation of chief executives and secretaries, for societies registered under the Friendly Societies Act 1992 or Building Societies Act 1986.  
  • Appointment and cessation of directors for societies registered under the Building Societies Act 1986.  
  • Annual returns and accounts   

Other personal data is collected and published by us to fulfil our legislative obligation to maintain arrangements designed to enable us to determine whether persons are complying with mutuals legislation. This includes collecting details of the committee of management in the annual return form. We use this data from time to time to check compliance with the Company Directors Disqualification Act 1986, and to operate other powers under mutuals legislation.  

We are obliged by mutuals legislation to make specified documents available for public inspection. These include documents required by legislation to be submitted to the FCA such as annual returns, and registration documents bearing the FCA's seal. 

We use the data submitted through the Mutuals Society Portal to facilitate the administration of the user account for the individual; to send communications relating to applications submitted; to direct our communications about the society; the management of user accounts linked to their society; and to send automated reminders of annual return submission deadlines.  

The personal data we collect through our Mutuals Society Portal and Mutuals Public Register also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access.

The lawful basis for us using this personal data 

We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018.  

When we share personal data as part of our regulatory work 

Where it is appropriate to do so, we share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information, and, in others, we are obliged for legal reasons to share the information.   

When this personal data is transferred outside the UK and the EU

Given the international nature of our wider regulatory work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies, outside the EU. We will only transfer personal data outside the EU if permitted by the UK GDPR or DPA 2018. We have robust processes to ensure that appropriate safeguards are in place to protect any personal data included in such transfers. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to non-EEA regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements. View the full text of these administrative arrangements.  

: Editorial amendment page updated as part of website refresh

19/08/2019: Link changed Fixed broken link to https://www.allaboutcookies.org/