Privacy and the Bank of England

This page sets out how we handle personal data in the performance of our functions as the UK’s central bank, and how we protect the privacy of the individuals whose data we process.

We will handle personal data in the performance of our functions as the UK’s central bank

We collect personal data about business contacts, customers or staff of the firms we regulate, our staff or members of the public

We will only process personal data in a way that is fair and lawful. When we need to process personal data, we will take appropriate steps to keep it secure

We will respect the rights individuals have in relation to data we hold about them

The Bank of England (‘we’ or the ‘Bank’) is the UK’s central bank. Our mission is to promote the good of the people of the United Kingdom by maintaining monetary and financial stability. You can find more detailed information about what we do elsewhere on our website.

For a number of the activities that we undertake to achieve our mission, we need to process personal data. This may include data that relates to our staff, to business contacts, to customers or staff of the firms we regulate, or to members of the public.

We recognise our privileged position in receiving this data. The Bank is committed to protecting the privacy of the individuals whose data we process, and to meeting its responsibilities to process personal data in a way that is consistent with the principles set out in data protection laws.

The information on this page in intended to describe at a high level:

  • the purposes for which we need to process personal data
  • the types of personal data that we process for those purposes; and 
  • how we collect and use this data, and how we ensure, in doing so, that this meets the requirements set out in data protection laws.

Where we collect personal data directly from individuals, either through our website or elsewhere, we may provide additional privacy information that sets out in more detail how this information will be used.

To understand in more detail how the Bank processes personal data, please contact us using the details set out below.

How we use personal data in our work

We need personal data to perform a number of the activities that support our mission. Click on the below to find out more about how we process personal data for each of these.
  • As part of our official functions, and in the public interest, we regulate and supervise banks, building societies, credit unions, insurers, financial market infrastructures and major investment firms (‘firms’). We have supervisory and disciplinary powers under the Financial Services and Markets Act 2000 (FSMA), Banking Act 2009 and under or as a result of regulations made under section 8 of the European Union (Withdrawal) Act 2018 that can involve the processing of personal data. These include assessing applications to perform senior management functions, assessing the ongoing security of firms’ soundness, assessing compliance with regulation or taking action in the event of non-compliance with regulation. 

    The majority of information we receive is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, professional information, financial information, addresses, opinions and, in some cases, detailed information about identity and fitness to act in certain roles). We receive this information from individuals, from firms or from third parties (for example, the Financial Conduct Authority).

  • As part of our official functions, and in the public interest, we gather, analyse and publish data, which we use to inform our policy decisions and response to key economic events or crises and to supervise firms. 

    Some data collected by the Bank for the purposes of statistical and market analysis, research and policy development that support these objectives include personal data. Certain regulatory returns and other sources include, for example, financial information, professional information, location information, information about civil proceedings, opinions, and information to monitor diversity, such as ethnicity/ nationality, sexual orientation, gender identity, socio-economic status and health/disability status.  In support of our mission, it is often necessary to have a broad range of information to enable us to effectively and efficiently meet our responsibilities.

    These sources of information may be collected from the Financial Conduct Authority, the Office of National Statistics, firms we regulate, and other third parties, including Land Registry, credit reference agencies, commercial databases or publicly available sources.

    More information about our research and statistical work is available on our Statistics pages.

  • As part of our official functions, and in the public interest, when you exchange banknotes we ask for identification and other information to verify you are who you say you are, and to meet other legal and security obligations. More information is available on our Banknotes pages.
  • Information we receive as part of our official functions as a central bank can include personal data. This processing is necessary for the performance of tasks in the public interest and in the exercise of official authority of the Bank in providing critical banking, payment and settlement services, acting in the financial marketplace to manage the Bank’s balance sheet and the reserves of the Bank and HM Treasury, as well as providing foreign exchange and other money market services for customers. 

    The Bank collects personal data about you if the bank or building society with which you have a loan participates in the Sterling Monetary Framework, the Funding for Lending Scheme and/or the Term Funding Scheme and intends to use a loan portfolio which contains your loan as security against Bank funding. We collect personal data under the contractual arrangements we have in place with banks and building societies to assess the eligibility of the loan portfolio as security. We ask your bank or building society to remove the personal data as far as possible. This means that, where possible, we use identifiers in place of your personal data (and that the Bank cannot identify you based solely on the information your bank or building society has provided to us).

  • Our cookies statement gives you more information about how we use personal data when individuals visit our website, including how we use cookies. This notice does not cover links to other websites or any interactions you have with third parties. We encourage you to read the privacy statements of all other websites you visit and third parties with whom you interact.
  • We ask for photo identification for all visitors. If you do not provide it, you will not be able to enter the premises.  CCTV also operates on-site.  It is necessary to do this for the performance of a task carried out in the public interest or in the exercise of official authority of the Bank, and to further our legitimate interests in securing our premises, assets, staff and visitors. 

    If you visit the Bank of England Museum, you may receive separate privacy information.

  • We require information about education and professional background in our recruitment process. A separate privacy notice is provided to applicants on our careers pages and as part of the on-boarding process.
  • We undertake a range of activities to improve public understanding of what we do. As part of our official functions in improving public understanding, we may collect personal data to arrange events or distribute materials. To attend some events we may collect identification or conduct security checks. We will process the personal data you choose to give us, which will usually include your name and a method of contacting you. Should you provide a form of identification, we will also process this personal data.
  • We maintain networks of individuals across industries so that we can contact them to understand trends in the economy, and the impacts of regulatory decisions.  Some of our external contacts also speak at Bank events or act as advisers. Without maintaining these networks, we cannot perform tasks that are necessary in the public interest or in the exercise of official authority of the Bank.

    The types of personal data we process for this will usually be limited to individuals’ name, business contact information and opinions. We usually receive these details direct from individuals we engage with, or from publicly available sources. We use the information to communicate, arrange events, issue surveys and promote our activities. More information on how we gather market intelligence is available on our Markets pages.

  • If you contact our public enquiries team, submit a request or complaint, sign up to specific mailing lists or choose to respond to consultations, we will receive personal data from you. We will process the personal data that you choose to give us. This usually includes your name and business or personal contact information. 

    We will make it clear if we are asking for your consent to process your information. Otherwise, our basis for processing this data may be that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of the Bank, that it is necessary for the legitimate interests of the Bank to engage with the public or that it is necessary for the Bank to perform a legal obligation. 

    In line with regulated firms, we record telephone calls to our Markets Directorate including to assist audit and compliance. We also record telephone calls to our Public Enquiries Group (for training and monitoring purposes).

    If you engage with us in relation to Banknotes, more information is available on our Banknotes pages.

    If you contact us about a whistleblowing matter, more information is available on our whistleblowing page

Special category data

Data protection laws recognise certain types of information as being particularly sensitive. In some instances, as part of the functions described above we may need to process special category or criminal data about individuals. Where this is the case, we will only do so where we have identified this is necessary and where this for one of the reasons where data protection laws allow us to do so. We maintain policies and procedures to apply additional care to this data. 

Emailing us

We monitor emails or other electronic communications with us, including any attachments these contain. We do this to meet the legitimate interests we have in ensuring the security of our networks and systems, for compliance and professional standards purposes, as well as in some instances where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of the Bank. Emails are scanned by Mimecast. You can read their privacy policy here: https://www.mimecast.com/company/mimecast-trust-center/gdpr-center/privacy-statement. Blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is lawful and appropriate.  Emails sent to us from outside the Bank are retained for legal and compliance reasons for 7 years.

When we share data

In some circumstances, we may need to share personal data with other organisations.  This will, in some circumstances, involve sharing special category or criminal personal data.  Situations in which we may need to disclose personal data to a third party include:

  • to other financial services regulators (for example, the Financial Conduct Authority) and other central banks as part of ongoing supervision or enforcement; 
  • to external auditors during audits or similar exercises;
  • to past or future employers, as part of reference checks for staff;
  • to law enforcement agencies or the courts, where this is necessary for crime prevention or detection (including the provision of CCTV footage)
  • to third parties who provide elements of services for us (data processors). We have contracts in place with our data processors. This means that they will use personal data only in accordance with instructions provided by the Bank in order to deliver the agreed services. They will hold it securely and retain it for the period we instruct. 

We will only share personal data with others when we are legally permitted to do so. 

International transfers of personal data

For some of the purposes for which we need to process personal data, this may be transferred to other countries. UK data protection laws don’t allow organisations to transfer personal data outside the UK, except in circumstances that include:

  • where the recipient is located in an EEA country
  • where the recipient is located in a non-EEA country but the data protection regime in that country is considered "adequate" for the purposes of UK data protection laws; or 
  • where appropriate safeguards for the protection of personal data are in place.

In any instances where the Bank or an organisation acting on our behalf transfers personal data outside the United Kingdom, we will ensure this is carried out in compliance with UK data protection laws in order to protect personal data.

Retention of personal data

We retain personal data for as long as is required for the purposes for which we collect it, and other purposes that are not incompatible with this. When determining retention periods, we will have reference to, amongst other things, whether we need to keep this for statutory or audit purposes. Details of the retention periods for different types of personal information are set out in the Bank’s Records Classification Scheme. Where possible, we will seek to anonymise personal information so that it can no longer be associated with the individual. When we have identified this is no longer required, we have measures in place to securely dispose of personal data.

Individuals’ information rights

You have a number of rights under data protection laws in relation to data held about you.  For example, under certain circumstances, by law you have the right to:

  • Request access to your personal information (sometimes known as a ‘subject access request’). This enables you to receive a copy of the personal information we hold about you.
  • Request correction of the personal information that we hold about you. This enables you to ask us to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

The rights set out above are not absolute and are subject to a number of important exemptions and limitations that mean we don’t always need to comply with your request. 

  • To request a copy of the personal data the Bank holds about you, please contact us at:

    Information Access Team
    Bank of England
    Threadneedle Street
    London, EC2R 8AH
    Email: data-protection@bankofengland.co.uk

    To contact us about any other individual rights, including requesting an amendment to, or deletion of, your personal data, please contact us at:

    Privacy Team
    Bank of England
    Threadneedle Street
    London, EC2R 8AH
    Email: data-protection@bankofengland.co.uk

    We will try to deal with your request as soon as practical. We will sometimes need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

    For further information or if you wish to follow up your request or report a concern around how your personal data has been processed, you can contact the Bank’s Data Protection Officer. You can also report concerns to the Information Commissioner’s Office, the regulatory authority for data protection in the UK.

The Bank’s Data Protection Officer

The Bank has appointed a Data Protection Officer, who is supported by the Privacy Team in the Bank’s Compliance Division and whose role includes acting as a point of contact for individuals in relation to concerns around how their data is processed. You can contact the Bank’s Data Protection Officer using the details below:

Data Protection Officer
Bank of England
Threadneedle Street
London, EC2R 8AH
Email: data-protection@bankofengland.co.uk

Changes to our privacy information

The Bank will update this page with important changes, or otherwise update specific privacy notices relevant to how we process your data. This page was last updated in October 2021.

This page was last updated 31 January 2023