Privacy

This page sets out how we handle personal data in the performance of our functions as the UK’s central bank, and how we protect the privacy of the individuals whose data we process.

The Bank of England (‘we’ or the ‘Bank’) is the UK’s central bank.  Our mission is to promote the good of the people of the United Kingdom by maintaining monetary and financial stability. You can find more detailed information about what we do elsewhere on our website, here.

For a number of the activities that we undertake to achieve our mission, we need to process personal data. This may include data that relates to our staff, to business contacts, to customers or staff of the firms we regulate, or to members of the public.

We recognise our privileged position in receiving this data. The Bank is committed to protecting the privacy of the individuals whose data we process, and to meeting its responsibilities to process personal data in a way that is consistent with the principles set out in data protection laws.

The information on this page in intended to describe at a high level:

• the purposes for which we need to process personal data
• the types of personal data that we process for those purposes; and 
• how we collect and use this data, and how we ensure, in doing so, that this meets the requirements set out in data protection laws.

Where we collect personal data directly from individuals, either through our website or elsewhere, we will provide a privacy notice that sets out in more detail how this information will be used. 

To understand in more detail how the Bank processes personal data, please contact us using the details set out below.

Special category data

Data protection laws recognise certain types of information as being particularly sensitive. In some instances, as part of the functions described above we may need to process special category or criminal data about individuals. Where this is the case, we will only do so where we have identified this is necessary and where this for one of the reasons where data protection laws allow us to do so. We maintain policies and procedures to apply additional care to this data.

Emailing us

We monitor emails or other electronic communications with us, including any attachments these contain. We do this to meet the legitimate interests we have in ensuring the security of our networks and systems, for compliance and professional standards purposes, as well as in some instances where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of the Bank. Emails are scanned by Mimecast. You can read their privacy policy here: https://www.mimecast.com/company/mimecast-trust-center/gdpr-center/privacy-statement. Blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is lawful and appropriate. Emails sent to us from outside the Bank are retained for legal and compliance reasons for 7 years.

When we share data

In some circumstances, we may need to share personal data with other organisations. This will, in some circumstances, involve sharing special category or criminal personal data. Situations in which we may need to disclose personal data to a third party include:

• to other financial services regulators (for example, the Financial Conduct Authority) and other central banks as part of ongoing supervision or enforcement;
• to external auditors during audits or similar exercises;
• to past or future employers, as part of reference checks for staff;
• to law enforcement agencies or the courts, where this is necessary for crime prevention or detection (including the provision of CCTV footage)

We will only share personal data with others when we are legally permitted to do so.

International transfers of personal data

For some of the purposes for which we need to process personal data, this may be transferred to other countries. Data protection laws don’t allow organisations to transfer personal data outside the EEA, except where they can ensure this will be appropriately protected. In any instances where the Bank or an organisation acting on our behalf transfers personal data outside the EEA, we will ensure this in compliance with one of the safeguards set out in data protection laws in order to ensure that data is protected.

Retention of personal data

We retain personal data for as long as is required for the purposes for which we collect it, and other purposes that are not incompatible with this. When determining retention periods, we will have reference to, amongst other things, whether we need to keep this for statutory or audit purposes. Details of the retention periods for different types of personal information are set out in the Bank’s Records Classification Scheme. Where possible, we will seek to anonymise personal information so that it can no longer be associated with the individual. When we have identified this is no longer required, we have measures in place to securely dispose of personal data.

Individuals’ information rights

You have a number of rights under data protection laws in relation to data held about you. For example, under certain circumstances, by law you have the right to:

• Request access to your personal information (sometimes known as a ‘subject access request’). This enables you to receive a copy of the personal information we hold about you.
• Request correction of the personal information that we hold about you. This enables you to ask us to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

The rights set out above are not absolute and are subject to a number of important exemptions and limitations that mean we don’t always need to comply with your request.

The Bank’s Data Protection Officer

The Bank has appointed a Data Protection Officer, who is supported by the Privacy Team in the Bank’s Security and Privacy Division and whose role includes acting as a point of contact for individuals in relation to concerns around how their data is processed. You can contact the Bank’s Data Protection Officer using the details below:

Data Protection Officer Bank of England Threadneedle Street London, EC2R 8AH Email: data-protection@bankofengland.co.uk

Changes to our privacy information

The Bank will update this page with important changes, or otherwise update specific privacy notices relevant to how we process your data. This page was last updated in May 2018.