Data protection and SARs

How to ask us for information that we hold about you.


The Financial Ombudsman Service is covered by the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This places legal obligations on us, as a data controller, when we hold and process personal information about individuals.

Personal data means information about you – for example, your name, date of birth, financial details and phone conversations with us.

Our entry in the public register of data controllers can be seen online on the Information Commissioner's website

We know that the personal and financial circumstances of people who refer complaints to us can be very sensitive, and we handle people's information with care and discretion. You can find out more about this in our privacy policy.


  • We’re committed to being open and transparent, which is why we’re happy to share the information we’ve relied upon to reach our decision on your complaint without the need to make a formal request for information. Examples of what may be shared, could include a copy of the terms and conditions of a policy which outlines whether a business has acted fairly in declining a claim, or a screenshot which demonstrates how much is outstanding on an overdraft. If this is the type of information you’d like to see, then you’ll need to speak to the person who is handling your complaint. You should let them know if you want to see a specific document. They’ll have given you their contact details so you can get in touch.

    However, because of the volumes of complaints we see and in order to resolve these complaints as quickly as possible, we don’t share the full complaint file with either party to the complaint, only the information that has been relied upon to reach our decision on your complaint.

    Under current data protection laws, you’re entitled to ask us for a copy of all the personal data we hold about you. This is known as a subject access request or a right of access. A subject access request doesn’t give you the right to access specific documents or an entire file, so if you were looking for a call script a business may have used, you may not be entitled to this under a subject access request. Similarly, you may not be entitled to documents relating to a business account as this may be considered as information related to a business entity rather than an individual. Instead, a subject access request entitles you to your ‘personal data’, as well as other supplementary information.

  • Please contact our information rights team at: [email protected]

    To make sure we’re sending the information to the right person, we may need to see proof of identify and proof of address.

    When you make a subject access request, please let us know exactly what information you’re looking for to ensure we provide you with the relevant information. You can also let the person handling your complaint know if you would like to make a subject access request.

  • No. Since 25 May 2018, we no longer charge a fee to comply with a subject access request in the majority of cases. However, where the request is manifestly unfounded or excessive, the ICO says we may charge a reasonable fee for the administrative costs of complying with the request. We are also allowed to charge a reasonable fee if an individual requests further copies of their data following a request.

  • We keep your personal information only for as long as we need to. 

    For example:

    • We will keep your case file for six years after your case closes (or three years if we don’t go on to fully investigate your case).
    • We keep ombudsman decisions permanently.
    • If you brought a case to our service before February 2014, your case may have had a paper file. If so, we would only keep a record of this for three years after your case closed and your electronic file for six years after your case closed.
    • If you ask the Independent Assessor to look into a complaint about our service, the Independent Assessor’s office will keep their opinion setting out their recommendations for six years and any correspondence for three years.

    There may be rare occasions where we need to keep your information for longer than the time periods set out above. This is in order for us to effectively resolve issues or activities surrounding your case or a group of cases, but these will be rare.

  • No – a subject access request only allows you to see information we hold about you. When we send this information, the names and contact details of others will usually be removed. If we correspond with a business about your complaint, we’ll tell you the name of the business we’ve been corresponding with, but not necessarily the name of the individual at that business.

  • If you’re not happy with how we’ve handled your subject access request, and wish to make a complaint, please contact our Information Rights Team as soon as possible, to give us an opportunity to look into your concerns.

    You can email us: [email protected]. Our Data Protection Officer (DPO) is Michelle Goddard. A member of our Information Rights Team, usually the adviser dealing with the request, will respond to your concerns within 15 working days.

    For information about how we handle your personal information, please refer to our privacy policy.

    If you have any concerns about the information uncovered from your subject access request, please contact your case handler in the first instance. You can find more information about our process for handling complaints about our customer service on our website