Personal data and market oversight

The role of market oversight is to promote conduct that supports trusted, orderly and efficient primary and secondary markets in the UK. We do this by:

• overseeing the conduct of participants in the primary markets with the listing, prospectus and market abuse regimes through approving issuer documentation, maintaining the Official List and reviewing ongoing issuer disclosure and sponsor conduct.
• conducting secondary market surveillance to identify suspected market abuse and criminal insider dealing and market manipulation
• investigating suspected misconduct and working with Enforcement wherever appropriate to address breaches of the law and regulations
• communicating with exchanges, primary and secondary market participants including issuers, sponsors, trading firms and other regulatory and law enforcement authorities

The way in which we process personal data will depend on the particular circumstances and which of our functions are to be discharged.

Most often we will process personal data for regulatory purposes such as reviewing transaction data relating to secondary market activity. Processing for regulatory purposes is subject to the UK GDPR. Processing for the purpose of a criminal investigation or proceeding will be subject to provisions of the DPA 2018, which implements the LED into UK law. The FCA is a competent authority for the purposes of the LED and the DPA 2018.

Examples of the ways in which we may process personal data when carrying out our market oversight functions include:

• gathering and analysing information such as transaction/order book data, communications and Suspicious Transaction and Order Reports (STORs)
• analysis of data and storage in line with statutory obligations
• considering applications for eligibility and prospectus approval as well as amendments to the Official List
• overseeing sponsors, including applications for new sponsors
• supervising Primary Information Providers and Data Reporting Service Providers
• conducting inquiries and investigations, engaging with market participants and preparing documentation
• fulfilling money laundering reporting obligations
• cooperation with domestic and overseas authorities
• publishing papers in accordance with FSMA

The information that we have provided in this notice (particularly in relation to sharing information with third parties) is not exhaustive. If you want to understand more about how we use personal data or you have any particular questions about our market oversight processing activities, please contact us.

The personal data we use

Given the nature of our work, we use a variety of personal data (including special categories of personal data) to exercise our market oversight functions, which in specific circumstances may include:

• names, addresses, contact details, dates of birth, National Insurance numbers
• employment history
• location data
• online identifiers, including IP addresses, cookie identifiers from third party websites
• criminal records and allegations of criminal offences
• information relating to a person’s economic identity, including credit ratings, financial information and banking records
• an individual’s personal views and opinions including recordings and transcriptions of interviews undertaken as part of an investigation
• racial or ethnic origin
• information relating to a person’s health
• information related to sexuality/gender orientation
• an individual’s political opinions or religious and philosophical beliefs

The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.

As an organisation, we have robust policies in place to ensure that we do not use more information than we need. Nonetheless, in the case of our market oversight work it is often necessary to have a broad range of information to enable us to effectively and efficiently meet our responsibilities as a regulator and law enforcement authority, including detecting and investigating regulatory breaches and offences.

How this personal data is collected

To fulfil our market oversight functions, we collect personal data from a variety of sources as described below.

From individuals, firms and exchanges

To perform our market oversight functions we often rely on information provided to the FCA by exchanges, firms and individuals for several reasons. This includes information which we have compelled firms and individuals to provide (using our statutory powers), information which firms and exchanges have provided voluntarily, and information which individuals, firms and exchanges are obliged under statute to report to us.

From government departments and other public authorities such as regulators

We often receive information as part of our market oversight work and in connection with our duty to cooperate with other authorities.

From other third parties

We receive or request information from a variety of third parties to perform our functions. Given the nature of our market oversight responsibilities, it is often necessary to pull together a lot of information to ensure that we are able to identify matters that require our attention and take appropriate action. Examples of other parties and sources that we receive information from include:

• market participants, consumers and whistleblowers
• social media, third party websites and commercial databases
• third party contractors

Why we use this personal data

We use personal data to enable us to carry out the specific market oversight functions for which we are legally responsible. These duties arise under various statutes such as the Financial Services and Markets 2000 and EU regulations such as the Market Abuse Regulation.

We also collect technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical metadata. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018 and, to the extent that we use any sensitive personal data or criminal records, under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest) and Sections 10(3) and (5) of the DPA 2018 (it is necessary for the exercise of the FCA’s statutory functions, it meets a condition set out in Part 2 of Schedule 1 and we have an appropriate policy in place for such use.

We also use personal data for law enforcement purposes under Section 35(2)(b) of the DPA 2018 (it is based on law and is necessary for the performance of a task carried out by us for that lawful purpose) and, to the extent that we use any sensitive personal data, under Section 35(5) (it is strictly necessary for law enforcement, it meets a condition set out in Schedule 8 of the DPA 2018 and we have an appropriate policy in place for such use.).

When we share personal data we hold for market oversight purposes

There are a number of reasons we may need to share information with other parties. For example, we share personal data with the parties involved in matters that come to our attention concerning market activity, and in investigations (such as firms or individuals and their legal representatives). We also frequently share personal data with overseas regulators and/or domestic law enforcement bodies and, occasionally, with other relevant firms (such as Interpol, the Home Office, HMRC and overseas authorities with similar functions). In some circumstances, where appropriate, we choose to share this information (for example, for the purposes of furthering an investigation) and in others when we are obliged for legal reasons to share the information.

In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. Where the law does require this, we ensure that adequate consent is obtained in accordance with the UK GDPR and the DPA 2018.

When personal data is transferred outside the UK and the EU by us for market oversight purposes

Given the international nature of our market oversight work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies, outside the EU. We will only transfer personal data outside the EU if permitted by the UK GDPR or DPA 2018. We have robust processes to ensure that appropriate safeguards are in place to protect any personal data included in such transfers. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to non-EEA regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements. View the full text of these administrative arrangements. 

Learn about your rights

Under the UK GDPR and the DPA 2018, individuals have a number of rights relating to their personal data. Given the often sensitive nature of our work, and the risk of prejudice to the discharge of our public functions and those concerned in a matter we consider, it will often be appropriate to apply the provisions of data protection legislation that permit us to limit data subject rights in certain circumstances, for example to safeguard regulatory functions, market integrity or to avoid obstructing or prejudicing criminal investigations. In each case we assess whether such a restriction is appropriate.

Read more about your rights and how to exercise them.