Personal data and recruitment

We, the Financial Conduct Authority (the ‘FCA’), are the controller of the personal data that we collect about you. This means that we are responsible for deciding how we hold and use personal information about you.

Any information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil any legal or regulatory requirements if necessary. We cannot administer your employment or other relationship with you without your personal data.

We collect many different types of personal data during the progress of your application. Where it is optional for you to provide your data, we will indicate this clearly on the application as optional fields and where data is anonymised and/or only collected for statistical analysis purposes.

The personal data we collect and use

Given the nature of our work, we collect and use a variety of personal data to exercise our recruitment functions, which includes:

• full name
• contact details (email address, existing and previous postal addresses, contact numbers)
• date of birth
• gender
• identity and background information, including criminal and credit checks
• special category data (such as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex or sexual orientation)
• dependents and next of kin, marital or relationship status, lifestyle and social circumstances, emergency contact information
• financial information (such as National Insurance number, bank details)
• employment and education history
• professional memberships and licenses

Depending upon the job role we may request additional information during various stages of the recruitment such as for purposes of disclosure and barring checks. For your identity and background checks, we will collect and use:

• home addresses (existing and previous)
• driving license and/or national passport (including employment permit details)
• credit reference history
• any relevant offences and criminal records history (spent convictions)

Any personal data collected during administrative procedures, such as during:

• applicant’s written correspondence with us e.g. details to explain the FCA policy on career break
• applicant’s performance information during interviews e.g. interview scores, opinions from interviewers and performance metrics
• investigation of grievances and complaints e.g. for rehires
• any information that you voluntarily provide to us during the course of this process
• information to help us set up an interview and/or assessment with you such as any reasonable adjustments that you may require

How we collect this personal data

To fulfil our recruitment function, we collect personal data from a variety of sources as described below.

From you

You provide us with personal data directly when you apply for a job with us and, if your application is successful, when you complete our [employee information forms] or correspond with us and in the course of performing your job. We also create some personal data ourselves, for instance, in making notes during an interview process.

Where you apply for a vacancy through an agency, that agency will provide us with information about you and that you have supplied to them.

Personal data about you from third parties

We obtain data from various sources (individuals and organisations), such as publicly available directories and online resources, your previous employers, your previous education institutions, your emergency contacts, your use of our systems and platforms, your line manager and co-workers, your dependents and beneficiaries, and third-party benefits providers.

Due to the type of work conducted by the FCA, we also perform background checks on our potential employees. Depending on the job role, these checks can relate to any criminal convictions that you may have and your credit reference history. These checks are necessary under the applicable law and those required for our own policy compliance.

Why we use this personal data

Our purpose for processing this information is to assess your suitability for a role you have applied for and to help us develop and to improve our recruitment process. We will also process your personal data in connection with your application of employment and engagement with us, which includes management and administration of your recruitment with us. You do not have to provide this information but it may affect your application if you don’t.

We will also process your personal data to help us manage and administer our equal opportunities processing and to meet our diversity and inclusion initiatives.

During the recruitment process, we provide optional fields for your completion and where you choose to provide this data:

• we will use your data for statistical or aggregated reporting purposes
• we will use any feedback you provide about our recruitment process to develop and improve our future recruitment campaigns

As we do not require your personal data for these purposes, we convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you.

The lawful basis for us using this personal data

Any information you provide us as part of your application and onboarding process, we rely upon Article 6(1)(b) of the UK GDPR which is processing necessary to enter into and subsequently perform your employment contract.

The lawful basis we rely on to process any information you provide as part of your application which is special category data will depend on the purpose for collecting and processing the data.

• Where we collect information, such as health, religious or ethnicity information, we rely upon Article 9(2)(b) of the UK GDPR which relates to our employment obligations and safeguarding your fundamental rights.
• Where we collect information about your health and reasonable adjustments you require under the Equality Act 2010 to ensure we comply with, we rely upon Article 9(2)(b) of the UK GDPR as the lawful basis which relates to processing is necessary for your/our obligations and rights in the field of employment and social security and social protection law. We also meet the condition under Schedule 1 part 1(1) of the DPA 2018 which again relates to processing for the purposes of performing our obligations under employment or social security law.
• If we are required by law to conduct verification and vetting checks, which may include criminal background checks, the lawful basis we rely upon Article 9(2)(b) of the UK GDPR which relates to processing necessary for your/our obligations and rights in the field of employment and social security and social protection law and the condition under Schedule 1 part 1(1) of the DPA 2018.
• Where we are not required by law to conduct verification and vetting checks or criminal background checks, but we need to do so to assess your suitability for your role, we will ask for your explicit consent for us to carry out checks and will rely upon consent, Article 9(2)(a) of the UK GDPR, as a lawful basis for processing any criminal offence information.
• Where we collect information for purposes of equal opportunity monitoring, such as health, religious or ethnicity information, we rely upon the lawful basis that the processing is necessary for reasons in the substantial public interest. We also meet the condition under paragraph 8, Schedule 1 part (1) of the DPA 2018 that the processing is necessary for promoting equality of opportunity and treatment.

When we share personal data as part of recruitment process

We may need to share your personal data with third parties. This may include:

• our group companies for the management of our business
• your current and past employers and education institutions
• potential buyers in the event that we sell all or part of our business as part of a merger or acquisition
• HMRC for tax purposes
• police, regulatory bodies and courts where we are required to disclose your personal data to comply with a legal obligation, binding court order or warrant
• our legal and financial advisors

When personal data is transferred outside of the EU

We may transfer your personal data to recipients (as set out above) that are established in jurisdictions other than your own. Please be aware that the data protection laws in some jurisdictions may not provide the same level of protection to your personal data as is provided to it under the laws in your jurisdiction.

If any disclosures of personal data referred to above require your personal data to be transferred from within to outside the European Economic Area, we will only make that transfer if:

1. the country to which the personal data is to be transferred ensures an adequate level of protection for personal data
2. we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient
3. the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
4. you explicitly consent to the transfer

Data retention

Our retention policy sets out how long we hold all information, including any personal data used for each of the areas mentioned in this privacy notice.

Learn about your rights

Under the GDPR and the DPA 2018, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them visit on our privacy page.