Personal data and enforcement

The role of enforcement is to achieve fair and just outcomes in response to misconduct and to ensure the law, our rules and requirements are complied with. We do this by:

• identifying and investigating suspected serious misconduct
• using deterrent and remedial powers, including financial penalties, prohibitions, suspensions as well as redress, or remedial and restorative measures wherever appropriate, in order to help put right what has gone wrong
• communicating, through our formal statutory notices, the basis on which we have taken action and the reasons, so that our actions are transparent, fair and enable firms and individuals to draw on that information in evaluating their own conduct

Not all of our investigations result in a finding that a breach has occurred. The way in which we process personal data will depend on the nature of our investigations and the outcomes which we decide are most appropriate.  

Where an investigation is of either a regulatory or civil nature, processing is subject to the UK GDPR. Processing in the context of a criminal investigation or proceeding will be subject to provisions of the DPA 2018, which implements the Law Enforcement Directive (EU) 2016/680 (the LED) into UK law. The FCA is a competent authority for the purposes of the LED and the DPA 2018.

Examples of the ways in which we may process personal data when carrying out our enforcement functions include:

• gathering and analysing information such as consumer complaints, whistleblowing information, financial and transaction data, communications and market monitoring data
• case management, including evidence analysis and storage in line with statutory obligations
• conduct of investigations, including preparing case documentation and proceedings before the Regulatory Decisions Committee, Upper Tribunal, or civil or criminal courts
• engaging with parties to the investigation, including evidence gathering, fulfilling disclosure obligations and discussions to agree appropriate outcomes
• calculating penalties or redress
• fulfilling money laundering reporting obligations
• cooperation with domestic and overseas authorities
• publishing outcomes in accordance with FSMA

The information that we have provided in this notice (particularly in relation to sharing information with third parties) is not exhaustive. If you want to understand more about how we use personal data or you have any particular questions about our enforcement processing activities, please contact us[1].

The personal data we use

Given the nature of our work, we use a variety of personal data (including special categories of personal data) to exercise our enforcement functions, which may include:

• names, addresses, contact details, dates of birth, National Insurance numbers
• racial or ethnic origin
• employment history
• location data
• online identifiers, including IP addresses, cookie identifiers from third party websites
• criminal records and allegations of criminal offences
• information relating to a person’s health
• information relating to a person’s economic identity, including credit ratings, financial information and banking records
• an individual’s political opinions or religious and philosophical beliefs
• an individual’s personal views and opinions, including recordings and transcriptions of interviews undertaken as part of an investigation

The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.

As an organisation, we have robust policies in place to ensure that we do not use more information than we need. In the case of our enforcement work, it is often necessary to have a broad range of information to enable us to effectively and efficiently meet our responsibilities as a regulator and law enforcement authority, including detecting and investigating offences.

How this personal data is collected

To fulfil our enforcement functions, we collect personal data from a variety of sources as described below.

From individuals and firms

To perform our enforcement functions, we routinely begin investigations by requesting specific information from firms and individuals. We also often rely on information that has already been provided to the FCA by individuals and firms for several reasons. This includes information which we have compelled firms and individuals to provide (using our statutory powers), information which firms have provided voluntarily, and information which individuals and firms are obliged under statute to report to us.

From government departments and other public authorities such as regulators and the police

We often receive information as part of our investigations, intelligence and law enforcement work through our cooperation arrangements with other authorities. This includes accessing the Police National Crime Database.

From other third parties

We receive or request information from a variety of third parties to perform our functions. Given the nature of our investigatory work, it is often necessary to pull together a lot of information to ensure that we are able to identify and act when enforcement action is required. Examples of other parties and sources that we receive information from include:

• consumers and whistleblowers
• social media, third party websites and commercial databases
• credit reference agencies
• third party contractors

Why we use this personal data

We use personal data to enable us to carry out the specific enforcement functions for which we are legally responsible. These duties arise under various statutes such as the Financial Services and Markets 2000 and include regulatory, civil and criminal law enforcement functions.

We also collect technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical metadata. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018 and, to the extent that we use any special categories of personal data or criminal records, under Article 9(2)(g) (it is necessary for reasons of substantial public interest) and Sections 10(3) and (5) of the DPA 2018 (it is necessary for the exercise of the FCA’s statutory functions, it meets a condition set out in Part 2 of Schedule 1 and we have an appropriate policy in place for such use.

We also use personal data for law enforcement purposes under Section 35(2)(b) of the DPA 2018 (it is based on law and is necessary for the performance of a task carried out by us for that lawful purpose) and, to the extent that we use any special categories of personal data, under Section 35(5) (it is strictly necessary for law enforcement, it meets a condition set out in Schedule 8 of the DPA 2018 and we have an appropriate policy in place for such use.).

When we share personal data we hold for enforcement purposes

There are a number of reasons we may need to share personal data with other parties. For example, we share information with the parties involved in investigations (such as firms or individuals and their legal representatives). We also frequently share personal data with overseas regulators and/or domestic law enforcement bodies (such as police authorities and the National Crime Agency) and, occasionally, with other relevant firms (such as Interpol, the Home Office, HMRC and overseas authorities with similar functions). In some circumstances, where appropriate, we choose to share this information (for example, for the purposes of furthering an investigation) and in others we are obliged for legal reasons to share the information.

In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. Where the law does require this, we ensure that adequate consent is obtained in accordance with the UK GDPR and the DPA 2018.

When personal data is transferred outside the UK and the EU by us for enforcement purposes

Given the international nature of our enforcement work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies, outside the EU. We will only transfer personal data outside the EU if permitted by the UK GDPR or the DPA 2018. We have robust processes to ensure that appropriate safeguards are in place to protect any personal data included in such transfers. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to non-EEA regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements. View the full text of these administrative arrangements[2]. 

Learn about your rights

Under the UK GDPR and the DPA 2018, individuals have a number of rights relating to their personal data. Given the often sensitive nature of our investigations work, and the risk of prejudice to our investigations and individuals involved in them, we consider it will often be appropriate to apply the provisions of data protection legislation that permit us to limit data subject rights in certain circumstances, for example to safeguard regulatory functions or to avoid obstructing or prejudicing criminal investigations. In each case we assess whether such a restriction is appropriate.

Read more about your rights and how to exercise them[3].