Candidate privacy notice

Under data protection law, we're a 'data controller'. This means that we're responsible for deciding how we hold and use personal information about you.

Please read this notice. We may send you other privacy notices from time to time and it's important you read those too. We want you to be aware of how and why we're using your information.

We keep this privacy notice under regular review to make sure it's up to date and accurate and will communicate with you if we make any substantial changes.

This privacy notice applies to anyone who is applying for work with us whether as an employee, temporary worker or contractor.

‘Personal information’ – sometimes referred to as personal data – is information that identifies an individual. It does not include information that has been anonymised so that it cannot be linked back to an individual.

‘Processing’ means any use of personal information including collecting, recording, organising, storing, changing, retrieving, consulting, sharing, destroying and any other type of use.

When you register your interest in a role, or apply to work with us, we will collect, store and use the following categories of personal information about you:

• candidate ID
• information you've provided on our application form, including but not limited to:
  • name
  • title
  • address
  • telephone number
  • personal email address
  • date of birth
  • gender
  • employment history
  • qualifications
  • unspent criminal convictions
  • adverse credit history
  • current salary or hourly or day rate, and
  • National Insurance number.
• any information you provide to us during any tests, case studies, or assessment centres completed as part of the recruitment process
• any information you provide to us during your interview
• appraisal forms and other performance management information, for internal candidates only.

If you're successful in your application to join us, we will collect, store, and use the following categories of personal information about you:

• any personal details required to set you up on our systems such as your bank details, contact details and information about your next of kin
• references from previous employers and/or other professional individuals who know you
• any information about credit discrepancies revealed by a credit check
• any information about unspent criminal convictions revealed by a basic criminal records check
• copies of right to work documentation including a copy of:
  • your passport
  • your visa
  • any relevant Home Office correspondence, or
  • any other official documentation which shows that you have the legal right to work in the UK.
  • any information revealed by adverse media checks
  • proof of address documentation such as a council tax bill, utility bill or bank statement.

Data protection laws recognise that some types of personal information might be more sensitive. This is commonly referred to as 'special category personal data'. We may collect, store and use special category personal data about you as follows:

• • We actively monitor the diversity of the candidates who apply to work with us. This means we will ask for information about your race or ethnicity, religious beliefs and sexual orientation. It's completely your choice if you want to provide this information and it's never given to those making selection decisions.
  • Information that we record about your health, including information on any workplace adjustments that you need to take part in the recruitment process. This will never be used as part of a selection decision.
  • If you're successful in your application to join us, we will collect information about your health, where relevant, to allow us to make any necessary workplace adjustments for you as an employee.
  • If you're successful in your application, we'll also collect information about unspent criminal convictions revealed by a basic criminal records check.

While we mainly collect personal information directly from you, sometimes we gather personal information about you from third parties, for example:

• personal information provided by a recruitment agency.
• identity documentation, details of unspent criminal convictions, details of credit check and adverse media check information from our background check provider
• references about you, for example, from previous employers or educational institutions.

We'll only use your personal information when the law allows us to and, most commonly:

• to decide whether to enter into a contract of employment or other type of contract with you
• where it's necessary for our legitimate interests – or those of a third party – but only if your interests and rights don't override those legitimate interests. Our legitimate interest is that we we need your personal information to recruit roles at the Financial Ombudsman.

We have set out below the core reasons why we use your personal information:

• to communicate with you about the recruitment process
• to mask your details to allow for blind screening in the recruitment process
• to assess your skills, qualifications, and suitability for the role
• to carry out background and reference checks, if we offer you a role
• to keep records related to our hiring processes
• to comply with legal or regulatory requirements
• to monitor the diversity of candidates who apply to work with us
• to contact you in future if a similar vacancy comes up within six months of us concluding the recruitment process
• to match your profile against current and future vacancies for as long as your details are held in our prospective candidate talent pool 
• for reporting and to conduct analysis which allows us to identify candidates at different stages, improve the candidate experience and for better planning and to enhance future campaigns.

To collect, store and use special category personal data we need to have an additional justification alongside one of the legal bases set out above. We’ll use your special category data in the following circumstances:

• Where we need to carry out our legal obligations or exercise rights in connection with employment. For example, we will use information about your health to consider whether we need to provide any necessary workplace adjustments.
• Where it's needed in the substantial public interest. For example, we will use information about your race or ethnic origin, religious, philosophical or moral beliefs, or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. This information is not used in any selection decisions.

If you don't wish to provide information which is necessary for us to consider your application, we may not be able to process your application successfully.

For example, if we require evidence of your qualifications or work history, references or credit checks, and you don't provide them to us, we are unlikely to be able to take your application further.

If we’d like to offer you the role, we will request a basic disclosure of unspent criminal convictions. This is to satisfy ourselves there’s nothing in your criminal convictions history which makes you unsuitable to work for us. Once the recruitment decision has been made, the information collected is destroyed in line with our retention periods.  

We’ll only use any information relating to criminal convictions and offences where the law allows us to. And we have an appropriate policy and safeguards in place when processing such information.

Solely automated decision-making is when an electronic system uses personal information to make a decision without a human being involved in the decision-making process. We are allowed to carry out solely automated decision-making where:

• it's necessary to enter into or carry out a contract with an individual
• it's authorised by law
• an individual has given their explicit consent.

As part of the recruitment process, we make some solely automated decisions in limited circumstances. For example, there may be a requirement to complete an automated online test which is used to shortlist candidates for a role. The method and minimum criteria for any automated online testing of a candidate will depend on the requirements of the role.

We  have suitable safeguards in place to protect your rights and interests when this happens, including:

• giving you the right to ask for a person to be involved in the decision, express your point of view, ask for an explanation, or challenge the decision
• having appropriate measures in place to correct any inaccuracies and to minimise the risk of mistakes happening in the decision-making process
• having appropriate measures in place to prevent any discriminatory effects or bias.

If you would like more information about automated decision-making in the recruitment process, please contact our People Hub

We will only share your information with those who have a business need to see it. That will usually mean the hiring manager, our HR team, our Finance team, Facilities and IT.

We will only share your personal information with the following third parties, where relevant, for the purposes of processing your application:

• recruitment agency
• psychometric testing providers – where you are required to take an assessment for the role
• background check provider
• your named referees.

All our third-party service providers are required to take appropriate security measures to protect your personal information. We don't allow our third-party service providers to use your personal data for their own purposes. We only allow them to process your personal information for specified purposes and only in accordance with our instructions.

We don't routinely transfer any of your personal information outside of the UK or the European Economic Area (which is the European Union countries plus Iceland, Liechtenstein and Norway) (EEA).

However, we do use third party providers who may use sub-contractors based outside the UK and EEA, including:

• our background check provider, who is based in the UK but may carry out some of the background checks using sub-contractors based outside the UK
•  our psychometric testing providers, who process data in the United States and Australia, with further support from sub-contractors in India and South Africa
• our HR system – that you use to apply for the role – and our finance system, which are both supported by ’application management services’ (AMS), with certain services delivered through their subsidiaries and affiliates in India.

We have appropriate contracts in place to make sure your information is protected should it be handled outside the UK. The following types of safeguarding measures will be in place:

• an adequacy decision
• EU standard contractual clauses with the UK addendum
• the EU-US Data Privacy Framework with the UK-US Data Bridge.

We've put in place a variety of measures to protect the security of your information and we regularly test these controls.

Alongside appropriate contracts and instructions for our service providers, we also have security measures to try and prevent your personal information being lost accessed, altered or disclosed in an accidental or unauthorised way.

We limit access to your personal details to those employees, agency, contractors and service providers who have a business need to know about it.

We've also put in place procedures to deal with any suspected data security breach and will notify you, and any applicable regulator, of a suspected breach wherever we're legally required to.

We only keep your personal information for as long as is necessary to complete the purpose we collected it for and in line with our legal obligations.  This includes satisfying any legal, accounting, or reporting requirements.

If your application is successful, personal information you have provided during the application process will be kept in your employee file for the duration of your employment, plus seven years following the end of your employment.

Background check documents including credit reports, criminal record checks and references are stored by our background check provider. They will destroy the documents securely six months from the date they carried out the relevant check, except for when a successful candidate:

• is a resident or a citizen of the United States, or
• has previously worked in the US.

In these cases, some data is retained for 12 months by a sub-contractor in the United States.

If your application is unsuccessful, we will retain your personal information on our applicant tracking system for 18 months from the date you applied for the role. We keep your records for this length of time so that, in the event of a legal claim, we can show that:

• we have not discriminated against candidates on prohibited grounds, and
• we have conducted the recruitment exercise in a fair and transparent way.

After this period, we will securely destroy your personal information in accordance with our retention schedule.

If you are already an employee and your application is unsuccessful personal information you have provided during the application process will be kept in your employee file for the duration of your employment plus six years following the end of your employment.

We retain prospective candidate data for 18 months. After this period, your information will be deleted from our talent pool. 

Under data protection law you have several privacy rights, including the right to:

• ask for access to your personal information – commonly known as a data subject access request (SAR), which gives you a copy of the personal information we hold about you and lets you check we're processing it as we should
• ask to correct the personal information we hold about you, for example, if it's incomplete or inaccurate
• ask for your personal information to be deleted – which is also known as the 'right to be forgotten'. This means you can ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing
• object to the processing of your personal information in certain situations, including, for example, where we're relying on a legitimate interest or those of a third party, but there's something about your situation which makes you want to object to that reason
• ask for the processing of your personal information to be restricted, for example, because you want us to confirm accuracy or our reason for processing it
• ask for the transfer of your personal information to another party.

If you wish to make a request, please contact us at [email protected].   

Once we receive your subject access request, we’ll respond within one calendar month. If we need more time – for example, because the request is complex – we may extend this timeframe. If we do, we’ll let you know as soon as possible.

You don't have to pay a fee to exercise any of your rights. However, we may decline your request, or charge a reasonable fee, if your request  is clearly unfounded or excessive. 

When you make a request, we may need to ask you for specific information to confirm your identity. In relation to the right of access this is a specific security measure to make sure personal information is not disclosed to anyone who has no right to receive it.

It's important that the personal information we hold about you is accurate and current. Please keep the resourcing team or your recruitment agency updated if your personal information changes during the recruitment process.

Where you may have given your consent to the collection, use or transfer of your personal information, you have the right to withdraw your consent at any time. 

To withdraw your consent, please contact our People Hub team.

Once we've had notification that you've withdrawn your consent, we'll stop processing your information for the purposes you originally agreed to, unless we have another legitimate legal basis to do it.

You can contact our Data Protection Officer (DPO) by email. Our DPO, or a colleague, will deal with your concern.

If you’re unhappy with our response, you can contact the Information Commissioner's Office (ICO):

• through the ICO website
• by emailing the ICO casework team, or
• by phone on 0303 123 1113.

We reserve the right to update this privacy notice at any time. If we make any substantial updates, we will make the updates, or any new privacy notice, available to you. We may also notify you in other ways from time to time about the processing of your personal information.

This notice was last updated in February 2026 to update the information about how long we keep the records of unsuccessful candidates.