We, the Financial Ombudsman Service, are committed to protecting the privacy and security of your personal information. This privacy notice describes how we process personal information about you when you are applying for work with us. We're sharing this with you because data protection laws mean we have a duty to make you aware of how we handle your personal information and your rights.
On this page
- Who does this privacy notice apply to?
- What personal information will you be processing?
- How do you collect my personal information?
- Why do you need my personal information?
- What if I don't provide you with my personal information?
- How do you use my special category personal information?
- Do you process information about unspent criminal convictions and offences?
- Do you make any solely automated decisions about recruitment candidates?
- Do you share my personal information with anyone?
- Do you transfer my personal information abroad?
- What security measures do you take?
- How long will you keep my information for?
- Your rights
- Do I have a right to withdraw my consent?
- What if I'm unhappy with how you’ve handled my information?
- Changes to this privacy notice
Under the data protection laws, we're a "data controller". This means that we're responsible for deciding how we hold and use personal information about you.
Please make sure you read this notice. We might also need to send you other privacy notices from time to time and it's important you read those too. We want you to be aware of how and why we're using your information. We keep this privacy notice under regular review to ensure it is up to date and accurate and would communicate with you if the changes were substantial.
Who does this privacy notice apply to?
This privacy notice applies to all people who are applying for work with us whether as an employee, temporary worker or contractor.
What personal information will you be processing?
Personal information means any information about a person and from which that person can be identified. It doesn't include information where the person's identity has been removed – any anonymous information.
Processing means any use of personal information including collecting, recording, organising, storing, changing, retrieving, consulting, sharing, destroying and any other type of use.
In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:
- Candidate ID
- Any information you've provided in your curriculum vitae (CV) and covering letter – including details of referees, previous employers and educational institutions.
- The information you've provided on our application form. This can include but is not limited to name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, unspent criminal convictions, adverse credit history, current salary or hourly/day rate and National Insurance number.
- Any information you provide to us during any tests, case studies, or assessment centres completed as part of the recruitment process.
- Any information you provide to us during your interview(s).
- Appraisal forms and other performance management information (for internal candidates only).
If you are successful in your application to join us we will collect, store, and use the following categories of personal information about you:
- Any personal information required to set you up on our systems including information such as your bank details, contact details and information for your next of kin.
- References from previous employers and/or other professional individuals who know you, educators for example.
- Any information about credit discrepancies revealed by a credit check.
- Any information about unspent criminal convictions revealed by a basic criminal records check.
- Copies of right to work documentation including a copy of your passport, visa, and any relevant Home Office correspondence, or any other official documentation which shows that you have the legal right to work in the UK.
- Any information revealed by adverse media checks. proof of address documentation such as a council tax bill, utility bill or bank statement.
Data protection laws recognise that some types of personal information might be particularly sensitive. The UK General Data Protection Regulation (UK GDPR) refers to this as 'special category personal data'. We may collect, store and use the following special category personal data:
- We actively monitor the diversity of the candidates who apply to work with us. This means we will ask for information about your race or ethnicity, religious beliefs and sexual orientation. It's optional, and up to you if you want to provide this. It's never given to anyone making any selection decision.
- Information about your health, including any information on workplace adjustments that you need to take part in the recruitment process. This will be recorded but will never be used as part of a selection decision.
- If you are successful in your application to join us, we will collect information about your health to allow us to make any necessary workplace adjustments for you as an employee.
- If you are successful in your application to join us, we will also collect information about unspent criminal convictions revealed by a basic criminal records check.
How do you collect my personal information?
We mainly collect personal information directly from you. We do sometimes collect personal information about you from third parties, in particular, we get:
- Personal information about you collected through our application and recruitment process from a recruitment agency.
- Identity documentation, details of unspent criminal convictions, details of credit check and adverse media check information from our background check provider.
- References about you, mainly from previous employers or educational institutions.
Why do you need my personal information?
We will only use your personal information when the law allows us to. Most commonly, we'll use your personal information in the following circumstances:
- To decide whether to enter into a contract of employment or other type of contract with you.
- Where it's necessary for our legitimate interests (or those of a third party) – but only if your interests and rights don't override those legitimate interests. Our legitimate interest is that we need your personal information to decide whether to appoint you to the role and we have a business need to recruit candidates for this role.
We have set out below reasons why we use your personal information:
- Communicate with you about the recruitment process
- To mask your data to allow for blind screening in the recruitment process
- Assess your skills, qualifications, and suitability for the role
- Carry out background and reference checks, if we offer you a role
- Keep records related to our hiring processes
- Comply with legal or regulatory requirements
- To monitor the diversity of candidates who apply to work with us
- To contact you in future if a similar vacancy comes up within 6 months of us concluding the recruitment process
- For reporting and to conduct data analytics studies which allows us to more easily identify candidates at different stages, improve the candidate experience and for better planning and to inform future campaigns.
Some personal information requires higher levels of protection- the UK GDPR refers to this as 'special category personal data' (set out above). We need to have a justification for using this type of personal information, in addition to having a legal basis (as set out above).
We will use your special category personal data in the following circumstances:
- Where we need to carry out our legal obligations or exercise rights in connection with employment. For example, we will use information about your health to consider whether we need to provide any necessary workplace adjustments.
- Where it's needed in the substantial public interest. For example, we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. This information is not used in any selection decisions.
What if I don't provide you with my personal information?
If you don't provide information which is necessary for us to consider your application (such as evidence of qualifications or work history) when we request it, we may not be able to process your application successfully. For example, if we require references or a credit check for the role and you fail to provide us with relevant details, we are unlikely to be able to take your application further.
How do you use my special category personal information?
Some personal information requires higher levels of protection- the GDPR refers to this as 'special category personal data' (set out above). We need to have a justification for using this type of personal information, in addition to having a legal basis (as set out above).
We will use your special category personal data in the following circumstances:
- where we need to carry out our legal obligations or exercise rights in connection with employment. For example, we will use information about your health to consider whether we need to provide any necessary workplace adjustments.
- where it's needed in the substantial public interest. For example, we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. This information is not used in any selection decisions.
Do you process information about unspent criminal convictions and offences?
Working at the Financial Ombudsman Service requires a high degree of trust and integrity because it involves dealing with financial and other sensitive personal information from the public. If we would like to offer you the role, we will request a basic disclosure of unspent criminal convictions. This is to satisfy ourselves that there is nothing in your criminal convictions history that makes you unsuitable to work for us. Once the recruitment decision has been made the information collected is destroyed in line with our retention periods.
We will only use any information relating to criminal convictions and offences where the law allows us to. And we have an appropriate policy and safeguards in place when processing such data.
Do you make any solely automated decisions about recruitment candidates?
Solely automated decision-making takes place when an electronic system uses personal information to make a decision without any human being involved in the decision making process. We are allowed to carry out solely automated decision-making in the following circumstances:
- Where it's necessary to enter into or carry out a contract with an individual
- It's authorised by law
- Where an individual has given their explicit consent
In all circumstances, we need to have suitable safeguards in place to protect your rights and interests. This includes:
- Giving you the right to ask for a person to be involved in the decision, express your point of view, ask for an explanation, or challenge the decision
- Have appropriate measures in place to correct any inaccuracies and minimise the risk of mistakes happening in the decision making process
- Prevent any discriminatory effects or bias.
As part of the recruitment process, we make some solely automated decisions in limited circumstances. For example, there may be a requirement to complete an automated online test which is used to shortlist candidates for a role. The method and minimum criteria for any automated online testing of a candidate will depend on the requirements of the role. If you would like more information about automated decision making in the recruitment process please contact our HR support team.
Do you share my personal information with anyone?
We will only share your information with those who have a business need to see it. That will usually mean the hiring manager, the HR team, the finance team, facilities and IT.
We will only share your personal information with the following third parties for the purposes of processing your application:
- Recruitment agency
- Psychometric testing providers – where you are required to take an assessment for the role
- Background check provider
- Your named referees
All our third-party service providers are required to take appropriate security measures to protect your personal information. We don't allow our third-party service providers to use your personal data for their own purposes. We only allow them to process your personal data for specified purposes and only in accordance with our instructions.
Do you transfer my personal information abroad?
We will not usually transfer any of your personal information outside of the UK or the European Economic Area (which is the European Union countries plus Iceland, Liechtenstein and Norway) (EEA).
However, we do use third party providers who may use sub-contractors based outside of the EEA – including our background check provider, our psychometric testing providers and the system you use to apply for the role. Our background check provider is based in the UK but it may carry out some of the background checks using sub-contractors based outside of the UK. Our psychometric testing providers hold data in the EEA, but its sub-contractors may process your information from the United States, India and South Africa when providing support. Our HR and finance system, Workday, which stores your application is hosted in the EU but has support teams in New Zealand, the United States and IBM who provide support for our HR and finance system, process your data from India.
We have a contract in place requiring third parties to protect your information, including when they are processing personal information outside of the EEA.
What security measures do you take?
We've put in place a variety of measures to protect the security of your information and we regularly test these controls.
Third parties will only process your personal information on our instructions. They must also have agreed to treat the information confidentially and to keep it secure. We have also put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know about it. They will only process your personal information on our instructions and have a duty of confidentiality.
We've also put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach wherever we're legally required to.
If you would like further details of our security measures, please contact the security team who will be able to provide further information where appropriate.
How long will you keep my information for?
We only keep your personal information for as long as is necessary to complete the purpose(s) we collected it for and in line with our legal obligations. This includes satisfying any legal, accounting, or reporting requirements.
If your application is successful, personal information you have provided during the application process will be kept in your employee file for the duration of your employment plus 6 years following the end of your employment.
Background check documents including credit reports, criminal record checks and references are retained by our background check provider and will be securely destroyed by them 6 months from the date they carried out the relevant check.
If your application is unsuccessful, we will retain your personal information on our applicant tracking system for 6 months from the date you applied for the role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our retention schedule.
If you are already an employee and your application is unsuccessful personal information you have provided during the application process will be kept in your employee file for the duration of your employment plus 6 years following the end of your employment.
Under certain circumstances, the law gives you the right to:
- Ask for access to your personal information (commonly known as a "data subject access request" or "SAR"). It gives you a copy of the personal information we hold about you and lets you check we're processing it as we should.
- Ask to correct the personal information we hold about you. For example, it may be incomplete or inaccurate.
- Ask for your personal information to be deleted (also known as the 'right to be forgotten'). It means you can ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to the processing of your personal information in certain situations. One is where we are relying on a legitimate interest or those of a third party, but there is something about your particular situation which makes you want to object to that reason.
- Ask for the processing of your personal information to be restricted. You can ask for this, for example if you want us to confirm its accuracy or the reason for processing it.
- Ask for the transfer of your personal information to another party.
- Right to withdraw consent – in the circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
Normally, you won’t have to pay anything to exercise these rights and we will have one month to respond to you. If you wish to make a request, please contact us at [email protected].
You won't have to pay a fee to access your personal information (or to exercise any of the other rights). But we might charge a reasonable fee if your request for access is clearly unfounded or excessive. Or we might refuse to comply with the request in these circumstances.
We may need specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another security measure to make sure personal information isn't disclosed to anyone that has no right to receive it.
It's important that the personal information we hold about you is accurate and current. Please keep the resourcing team or your recruitment agency updated if your personal information changes during the recruitment process.
Do I have a right to withdraw my consent?
Where you may have given your consent to the collection, processing and transfer of your personal information, you have the right to withdraw your consent for processing for that purpose at any time.
To withdraw your consent, please contact our HR Support team.
Once we've had notification that you've withdrawn your consent, we'll stop processing your information for the purpose(s) you originally agreed to, unless we have another legitimate legal basis to do it.
What if I'm unhappy with how you’ve handled my information?
Our data protection officer (DPO) is Michelle Goddard. You can also contact our DPO at [email protected]. Michelle or a colleague on her behalf will help deal with your concern.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time. If we make any substantial updates, we will make the updates, or any new privacy notice, available to you. We may also notify you in other ways from time to time about the processing of your personal information.
This notice was last updated in September 2021.