- Home /
Privacy notice
This privacy notice sets out how you can expect us to use your personal information when you visit our website and when you use one of its services.
To make it easier to learn more about our use of personal information in different areas of our work we’ve separated the notice into sections below. You can select the reason we process your personal information and see what we do with it.
On this page
- About us
- Where we get information from
- Your rights
- What if I’m unhappy with how you’ve handled my information?
- Visiting our website
- Links to other websites
- Monitoring social media
- Applying for a job with us
- Using our online complaint form
- Taking part in a procurement process
- Buying our consumer leaflets
- Signing up to Ombudsman News
- Visiting our offices
- Participating in a recorded event or meeting
About us
The Financial Ombudsman Service is the data controller for any personal information that we process unless we state otherwise. If you wish to contact us, you can find details here.
Financial Ombudsman Service
Exchange Tower, London, E14 9SR
www.financial-ombudsman.org.uk
0300 123 9 123 or 0800 023 4 567
Where we get information from
Most of the personal information that we process is given to us directly by you for one of the following reasons:
- You have made a complaint or enquiry to us
- You wish to attend, or have attended a webinar or outreach event
- You subscribe to Ombudsman News
- You have applied for a job with us
- You have visited our office
- You have taken part in a procurement exercise or bought complainant leaflets
We also receive information indirectly when we monitor publicly available information.
Your rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information and are subject to the restrictions set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Your data rights
-
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
-
You have the right to rectification of inaccurate personal data concerning you without undue delay. This includes the right to have incomplete personal data completed. This only applies to factual information and not opinions.
-
You have the right to ask us to erase your personal information in certain circumstances.
-
You have the right to ask us to restrict the processing of your information in certain circumstances.
-
You have the right to object to processing if we are able to process your information because the processing forms part of our public task or is in our legitimate interests.
-
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or for the performance of a contract, and the processing is automated. It doesn’t apply if we are processing your information as part of our public task.
-
Automated individual decision-making is a decision that has a legal or similarly significant legal effect on you – and is made without any human involvement. We do not carry out any solely automated decision making as part of our casework process.
Due to the nature of the work that we do, we may refuse such requests from you in accordance with relevant legislation. Our overall aim, however, is to be as fair and transparent as possible and we will only refuse such requests where we consider that we are legally justified in doing so.
What if I’m unhappy with how you’ve handled my information?
If your concerns aren’t related to data protection, for example you’re unhappy with the customer service you’ve received, or the information uncovered from your subject access request, please contact your case handler in the first instance. You can find more information about our process for handling complaints about our customer service on our website.
If you’re not happy with how we’ve handled your personal information, please get in touch with us as soon as possible.
If you want to make a complaint about how we have handled your personal information, then you should do so within three months. Waiting longer than that could affect our ability to look into your complaint.
We have a two-stage process for responding to a complaint relating to data protection.
If you have a dedicated case handler then please contact them in the first instance. Your complaint will first be dealt with by the appropriate manager.
In most instances, this resolves things. But if you remain unhappy, you can escalate your concerns to our Information Rights Team at [email protected]. A member of our Information Rights Team will then respond to your complaint. Our Data Protection Officer (DPO) is Michelle Goddard.
You should give us an opportunity to look into your complaint first, but if you’re unhappy with the final response you receive from our Information Rights Team, then you can contact the Information Commissioner’s Office at www.ico.org.uk, [email protected] or 0303 123 1113.
If you do not have a dedicated case handler and wish to make a complaint about how we’ve handled your personal information then please contact our Information Rights Team directly at [email protected].
Visiting our website
Analytics
When you visit www.financial-ombudsman.org.uk we use third-party services, Google Analytics and Hotjar, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google or Hotjar to make, any attempt to find out the identities of those visiting our website.
If we do collect personal information through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.
Cookies
We use a cookies tool to gain consent for the optional cookies we use. You can read about how we use cookies on our website.
Security and performance
We use a third-party web application firewall from Cloudflare to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, Cloudflare processes site visitors’ IP addresses.
Cloudflare relies on Standard Contractual Clauses (SCCs) as a legal mechanism to transfer this information to Cloudflare servers which are located in the US. They hold the information for up to thirty days.
Amazon Web Services hosts our website in the UK and Ireland and holds traffic information for 12 months.
Search Engine
Our website search is powered by Amazon Elastic Search. Search queries and results are logged anonymously to help us improve our website and search functionality. No identifiable personal information is collected by us or Amazon Elastic Search.
Our legal basis
We collect information to maintain and monitor how our website is performing and to make improvements to the site and the service that we offer to our website users.
We rely on your consent to process non optional cookies. You can withdraw your consent at any point. Our legal basis for analytics, security and performance and our search engine is that it is necessary for the purposes of our or your legitimate interests.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice doesn’t cover how those organisations may use your personal information. You should refer to their privacy notices to check how your information will be used.
Monitoring social media
We monitor publicly available social media data, using a commercially available automated social media monitoring tool which gathers information and monitors content about topics related to our functions through publicly available information on platforms such as Twitter, Facebook, Instagram and LinkedIn.
We currently use the social media analytics tool, Orlo.
What personal information we need
We may collect personal information of social media users if users comment on or post about the Financial Ombudsman or related topics or send a direct message to the Financial Ombudsman's own social media channels in order to communicate directly with us.
The data gathered through tools may include social media handles and content from posts which are publicly available.
Our legal basis
Our legal basis for collecting this personal information is that it is necessary for the purposes of our or your legitimate interests to monitor public sentiment, pick up on developing trends and communicate with customers.
We do not actively collect special category personal data in our social media monitoring, but we may process such data in monitoring social media content where such data is included in social media posts. Special category data includes information about your health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, sex life or sexual orientation. Our lawful basis for processing this information is:
- the processing is necessary for reasons of substantial public interest, and
- the processing relates to personal data which are manifestly made public by the data subject
What we do with it
The data we obtain through social media monitoring is used to help us respond to posts and messages and to monitor overall engagement with our content as well as mentions of our organisation, and related topics.
Insight reports will be prepared for internal use and will generally use aggregated data. However, individual quotes may be captured as examples and used to describe the general attitude towards the Financial Ombudsman, financial services or related topics.
Data may have been subject to automated decision-making to identify it as falling within a search description or sentiment.
We do not have any influence on the scope of data that is collected by social networks through their sites. If you use them, you should check the policies of the relevant platforms to understand how they protect your data.
How long we keep it
We will from time to time retain identifiable information that is downloaded from our social media monitoring in order to compile reports. Personal data will be stored for a maximum of up to two years on our social media analytics tool and will then be deleted.
Who we share your personal information with
Orlo processes your publicly available personal information on our behalf. We have a contract in place with Orlo and they are required to comply with law, only act on our instructions, to not share it with others unless we give permission, and to keep your personal information secure.
Any personal information downloaded from monitoring tools onto our IT systems will be shared with our IT suppliers who provide email, and document management and storage services.
Applying for a job with us
Please see our privacy notice for candidates.
Using our online complaint form
Please see our privacy notice for consumers for information on how we use your personal information when you refer a complaint to us about a financial business.
Our online complaint form is hosted by Egress Software Technologies Ltd (Egress), who process your personal information on our behalf. We have a contract in place with Egress and they are required to comply with the law, only act on our instructions, to not share it with others unless we give permission, and to keep your personal information secure. Egress hold the personal information you submit through the online form for up to 60 days after you submit it – this will include your name, contact details, complaint details and any other information you provide in making your complaint. This is to ensure that all submissions have been received as expected.
Our form also uses the service Google reCAPTCHA. This service is used to ensure data entered on the form has been entered by humans rather than an automated programme. The reCAPTCHA searches for the presence of Google cookies on your browser and gathers software and hardware information like your IP address, browser plug-ins and the device you’re using. Data for reCAPTCHA is collected and transmitted to Google LLC which may involve transmission of data to the US. It is subject to Google Privacy Policy and Terms of use.
Taking part in a procurement process
What personal information we need
If you take part in one of our procurement processes, then we collect your information, including your personal information. This includes your contact details – including in your capacity as a representative of a business – and other information you supply as part of the process, such as CVs.
Why we need it
We need your personal information to allow you to engage in our procurement process and to ensure we can facilitate the procurement process.
Our legal basis
Our legal basis for processing your personal information is that we need it to take certain steps (e.g. allow you to bid) before entering into a contract with you.
What we do with it
We use your personal information to set up an account on our procurement portal for you. On this portal you can view current and past tender opportunities, bid and view contracts. We also use your personal information to assess and decide whether to accept your bid.
How long we keep it for
Information received as part of a tender application – whether successful or unsuccessful – is retained for six years from the end date of the contract which arose from the tender process in question.
Who we share your personal information with
Our procurement portal is hosted by BravoSolution UK Limited (Bravo), who process your personal information on our behalf. We have a contract in place with Bravo and they are required to comply with the law, only act on our instructions, to not share it with others unless we give permission, and to keep your personal information secure.
Buying our consumer leaflets
What personal information we need
When you buy our consumer leaflets we need some personal information including your full name, email address, your organisation and payment details.
Why we need it
We need your personal information to process your order.
Our legal basis
We’ll process your personal information where it’s necessary for us to perform a task in the public interest and where it’s necessary to deliver a contractual service to you.
What we do with it
We use your personal information to process your order, including payment, and to then send the leaflets to you.
How long we keep it for
We keep your information for six years.
Who we share your personal information with
Our consumer leaflet ordering microsite is hosted and maintained by Studio NODA, who process your personal information on our behalf. Studio NODA use Magento E-Commerce to process payments made through the microsite. We have a contract in place with Studio NODA and they are required to comply with the law, only act on our instructions, to not share it with others unless we give permission, and to keep your personal information secure.
Signing up to Ombudsman News
What personal information we need
If you sign up to Ombudsman News, we ask you to provide your email address and whether you’re a business, a consumer or another type of reader.
Why we need it
We need your email address to send you each edition of Ombudsman News.
We ask what kind of reader you are so we can make sure we’re including interesting and useful information in the newsletter. You don’t have to provide this information in order to sign up to receive Ombudsman News.
Our legal basis
We rely on your consent to process this personal information. You can withdraw your consent at any point.
What we do with it
We use your personal information to:
- Add you to our mailing list for Ombudsman News
- Email you new editions of Ombudsman News
- Let you know about anything important affecting your subscription, such as your right to unsubscribe
- Ask you for your feedback about Ombudsman News so we can make sure it’s useful to our readers – but only if you give us separate consent for this
- Understand what content consumers, businesses and other readers engage with in Ombudsman News, so we can provide more of it
How long we keep it for
If you unsubscribe, your email address will be kept on our database solely to ensure you are not sent any further newsletters from us. We will keep your email address for this purpose until any time that you ask us to remove your details from our suppressed contact database. If you do this, we cannot guarantee that you will not receive future email newsletters from us.
Who we share your personal information with
We use Mail Metrics Business Service Ireland Ltd. to manage our Ombudsman News mailing list, to send the latest editions of Ombudsman News, to host the newsletters and to provide analytics on the engagement with the newsletters. Mail Metrics Business Service Ireland Ltd. process your personal information on our behalf. You can access Mail Metrics Business Service Ireland Ltd. privacy notice on their website.
The Financial Ombudsman Service uses cookies and the like for the purposes of statistical analysis, improving the friendliness and usability of our website, tailoring content to your interests and engaging with social media. By visiting our website, you consent to our and third party use of cookies as described in our privacy and cookie policy.
Visiting our offices
We operate closed circuit television (CCTV) at our facilities at Exchange Tower and Friargate for the purpose of maintaining the safety and security of our employees, contractors and visitors and to monitor the security of our buildings as well as preventing and investigating crime.
What personal information we need
Our CCTV will capture visual images of individuals entering and exiting our reception areas, individuals entering and exiting our floors including our café, gyms and our controlled access secure rooms.
Our legal basis
Our legal basis for processing your personal information in this format is that it is necessary for our or your legitimate interests. We process this data to assist in the prevention and detection of crime, to ensure that access to our systems and buildings are secure and protected. We also have a legitimate interest in safeguarding our staff, contractors, and visitors.
What we do with it
The CCTV cameras in operation do not record audio and only operate when they detect motion.
Access to the CCTV recordings is limited to our security personnel only.
Who we share your personal information with
We process the data captured by the CCTV cameras in operation at the Financial Ombudsman Service.
In some circumstances we may share or be required to disclose CCTV images with relevant third parties – such as building security where we consider there is a legitimate reason to do so or certain bodies of authority, such as the police in order to support the detection and prevention of crime.
How long we keep it
We hold CCTV recordings for a period of one month after the date of capture and recordings are automatically overridden at the end of this period. CCTV recordings that we determine are required after its retention period will be extracted from the CCTV system and saved in a secure location and the length of time that we will store this data for depends on the purpose that it has been required – i.e. criminal investigation or legal proceedings.
Participating in a recorded event or meeting
We host online meetings and events, such as panel discussions, webinars, training and focus groups. We may record events to widen access to the content or to facilitate notetaking. We will always let you know in advance if a meeting or event is going to be recorded.
The personal information we need
If you’re attending or presenting at a recorded meeting, we will collect and process:
- your name and email address
- your image and audio that is captured in the recording.
If you’re attending, you can choose whether to share your image and audio during the session to be captured in the recording.
Why we need it and our legal basis
Our purpose for collecting this information – and the legal basis we rely on – will depend on the meeting and why the recording is being made.
We’ll process your personal information:
- for our legitimate interest in having greater and more effective engagement with the Financial Ombudsman Service’s employees and third parties
- if you have given clear consent for us to process your personal data for a specific purpose
- if we need to carry out work so that we can deliver our statutory functions better – public task
- where we have a contract in place that requires us to process your personal data.
How long we keep your personal information for
We will keep your email address, and any recordings or transcripts of an event, for only as long as we need it.
We keep focus group recordings and transcripts for up to 30 days after a session. And if you’ve taken part in a focus group, we’ll keep your email address for three years.
Who we share your personal information with
We use Microsoft Teams to record our meetings and events. More information is available in the Privacy section of the Microsoft Trust Centre.