- Home /
Subject access request
Under data protection laws, you have the right to ask us for a copy of all the personal data we hold about you. This is known as a ‘subject access request’ (SAR) or a ‘right of access’.
This page will tell you how to make a SAR to ask us for information that we hold about you and what will happen if you do.
The Financial Ombudsman Service is covered by the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This places legal obligations on us, as a data controller, when we hold and process personal information about individuals.
Under current data protection laws, you have the right to ask us for a copy of all the personal data we hold about you. You can do this by using a subject access request.
For information about your case, please talk to your case handler.
Making a subject access request
What you can request
-
Any personal data we hold or store about you, including on our complaint file
-
Copies of any personal data contained in correspondence or call recordings
-
Details of how we use and store your personal data
What you can't request
-
Full copies of documents, especially those that don't contain your personal data
-
A full copy of your complaint file or the file submitted by the financial business
-
Information about other people
- Before you start, you may wish to tell your case handler that you’d like to make a subject access request. They may be able to give you the information you want, for example, specific documents or evidence used in your case. If so, you’ll be able to get the information more quickly and you won’t have to make a SAR.
- If you do need to make a SAR, contact our Information Rights team.
- Let us know exactly what personal data you’re looking for. The more specific you are, the quicker it will be for us to give you the right information.
- Give us proof of your identity if we need it.
We won't usually charge you for making a SAR.
-
We take data protection very seriously and aim to be as open as possible about how we handle your personal data.
However, we may refuse to process your request if we believe it’s clearly "unfounded or excessive" as defined by the ICO because, for example, it:
- explicitly states that you intend to cause disruption
- makes baseless accusations against our organisation or employees out of malice
- becomes frequent and seems meant to disrupt our service rather than accessing your data
- repeats previous requests made shortly after the original
- follows a request for personal data on a complaint file where no new personal data has been added.
-
Sometimes, we won't be able to give you the information you've asked for because it's exempt from sharing. If this is the case, we'll explain why.
For example, we may withhold personal data that includes legally privileged information, such as some communications and advice from our Legal team. This information is exempt from disclosure under UK GDPR. We assess exemptions under UK GDPR on a case-by-case basis.
We may also withhold personal data if we think that sharing it might "prejudice the proper discharge of our statutory function". That is, sharing the information would affect our ability to resolve complaints about financial services and products, quickly and informally.
-
A subject access request only allows you to see information we hold about you.
So, we may remove other people's names and contact details unless you already know their personal data and sharing it won't impact their data protection rights and freedoms.
If we contact a business about your complaint, we’ll tell you the name of that business. But we won't necessarily give you the name of our contact there.
-
You can only access copies of your own personal data. Anything that's not your personal data will not be included in a subject access request, for example:
- the terms and conditions of an account or policy, or
- a call script used by a financial business when contacting customers.
Business information will not usually be included in a subject access request. So, if your financial complaint is about your business – unless you are a sole trader – any information about your business will not be included.
If you’re not happy with how we’ve dealt with your SAR
- Contact our Information Rights team as soon as possible.
- The person who processed your request will investigate your complaint and respond to your concerns.
- If you’re unhappy with our response, we’ll pass your complaint to one of our managers. They will look at it again and send you a ‘final response’.
- If you wish to take the matter further, you can take your complaint to the Information Commissioner’s Office. You’ll find guidance on how to do that in our final response.
It’s best to make these complaints as soon as possible after the incident you’re unhappy about to be sure that the file you obtain accurately reflects the information held at that time.
Your personal data
We will keep your case file for six years after your case closes – or three years if we don’t go on to fully investigate your case. We keep ombudsman decisions permanently.
If you ask the Independent Assessor to look into a complaint about our service, their office will keep:
- their opinion, which sets out their recommendations, for six years
- any correspondence for three years.
On rare occasions, we may need to keep your information for longer to help us resolve issues connected to your case or a group of cases.
We have legal obligations as a 'data controller' – under the Data Protection Act 2018 and the General Data Protection Regulation (UK GDPR) – that cover how we handle someone’s personal information. Our Data Protection Officer (DPO) is Michelle Goddard. Under current data protection laws, you have the right to ask us for a copy of all the personal data we hold about you.
More about personal data on the Information Commissioner's Office (ICO) website
We know that the personal and financial circumstances of people who refer complaints to us can be very sensitive. So, we handle people's information with care and discretion. However, if you wish to complain about how we've handled your information, please do so within three months so that we can investigate.
Requesting information about your case
To request information about your case, please talk to your case handler. You should let them know if you want to see a specific document.
We won’t share the full complaint file with either you or the business your complaint is about. But we’re happy to share the information we’ve relied on to assess your complaint without a formal request for information. You can request specific documents, correspondence and call recordings that may be relevant to your complaint, such as:
- a copy of the terms and conditions of a policy that outline whether a business has acted fairly in declining a claim, or
- a screenshot that demonstrates how much is outstanding on an overdraft.
Communicating with our staff
Whatever type of request you need to make, please be respectful to our staff.
Our people shouldn't have to experience aggressive or abusive behaviour while they're at work. And we won't tolerate behaviour that we consider to be violent, insulting or threatening.
