Policy paper

SFO Privacy Policy

The Serious Fraud Office (“SFO”) is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law.

Applies to England, Northern Ireland and Wales

Documents

Details

Purpose

Personal data is any data which identifies a living individual directly or indirectly, in particular by reference to an identifier such as their name, address or date of birth.

The processing of personal data can mean anything we do with personal data, including but not limited to collecting, recording, storing and sharing.

Data Controller

The Director of the Serious Fraud Office is the data controller. You can contact the SFO at:

Email: [email protected]

Address: The Serious Fraud Office, 2-4 Cockspur Street, London, SW1Y 5BS

Telephone: +44 (0)20 7239 7272 / 7152

Data Protection Officer

You can contact the SFO’s Data Protection Officer at:

Email: [email protected]

Address: Data Protection Officer, Serious Fraud Office, 2-4 Cockspur Street, London, SW1Y 5BS

How are your rights protected?

The primary purpose for processing personal data determines what law protects your rights and provides the legal basis for our processing activities.

Your rights are protected by either:

  1. The General Data Protection Regulation (“UK GDPR”) and Part 2 of the Data Protection Act 2018; or
  2. Part 3 of the Data Protection Act 2018 (“DPA 2018”).

Where the SFO processes your personal data for general purposes not relating to our casework, the UK GDPR and Part 2 of the Data Protection Act apply.

Where the SFO processes your personal data for law enforcement purposes in connection with our casework, Part 3 of the Data Protection Act applies.

What information do we collect about you?

The SFO collects personal data from a range of sources in the course of the exercise of its statutory Law Enforcement functions. Types of personal data we process under Part 3 of the DPA 2018 may include information such as:

  • Personal details including name, address, contact details, proof of ID, date of birth
  • Financial information
  • Location and communications data
  • Sound and visual images
  • Conviction data
  • Online identifiers such as IP addresses
  • Any other personal data about you or other individuals collected by the SFO which is necessary and processed lawfully for the purposes under Part 3 of the DPA 2018.

We also process personal data that is unrelated to our law enforcement processing, including in the course of our administrative functions such as staff administration, procurement, property management, media and public correspondence.

Types of personal data we process under UK GDPR and Part 2 of the DPA 2018 may include information such as:

  • Personal details including name, address, contact details, proof of ID, date of birth
  • Employment details
  • Personal data supplied in requests, complaints or correspondence
  • Job applications or applications to join an SFO Counsel Panel
  • Information relating to safeguarding or victim support services
  • Any other personal data about you or other individuals collected by the SFO which is necessary to discharge our general administrative duties

We may also need to process special categories of personal data (also referred to in Part 3 of the DPA 2018 as “sensitive processing”) for either our general or law enforcement purposes. This could include personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious, cultural or philosophical beliefs
  • Trade union membership
  • Physical or mental health
  • Sex life or orientation
  • Genetic or biometric data

Whose personal data do we handle?

In order to carry out our functions we process information relating to a wide variety of individuals.

For law enforcement purposes in connection with our casework these may include:

  • People suspected of an offence
  • Victims
  • Witnesses
  • People convicted of an offence
  • Solicitors and counsel
  • Expert witnesses and interpreters
  • Members of the public
  • Colleagues from other law enforcement agencies, Government departments, regulators or international organisations
  • Former and existing members of staff

For general purposes not relating to our casework this may include:

  • Complainants, correspondents and enquirers
  • Members of the public
  • Journalists and the media
  • Suppliers and commercial partners
  • Colleagues from other law enforcement agencies, Government departments, regulators or international organisations
  • Consultants and other professional experts
  • Former, potential and existing members of staff

Why do we use personal data?

The SFO is a specialist prosecuting authority responsible for investigating and prosecuting the top level of serious or complex fraud, bribery and corruption. In addition, the SFO also pursues criminals for the financial benefit they have made from their crimes and assists overseas jurisdictions with their investigations into serious and complex fraud, bribery and corruption cases.

We will process personal data for the law enforcement purposes as outlined in Part 3 of the DPA, specifically as part of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

The Criminal Justice Act 1987 empowers the Director of the SFO to investigate suspected offences of serious or complex fraud, and bribery and corruption. Acting in accordance with these powers provides the SFO with a basis in law to process personal data for law enforcement purposes. For data protection purposes we are a competent authority under the DPA 2018 schedule 7.

The SFO also processes personal data for non-law enforcement purposes. This includes for recruitment, staff administration, responding to enquiries, requests or complaints, and maintaining our accounts and records. Depending on the nature of the data and why we need to process it, there may be a number of different legal bases that apply, including where:

  • the processing is necessary to perform a task in the public interest or for official functions, such as where we make referrals to victim and witness support services or share information for regulatory purposes
  • the processing is necessary for a contract or to take specific steps before entering into a contract, such as where we vet and recruit employees or procure goods and services
  • the processing is necessary in order to comply with a legal obligation, such as where we are required to respond to Freedom of Information Act 2000 or other statutory requests
  • there is legitimate interest to do so, and it is necessary and balanced against your own interests, rights and freedoms
  • on the rare occasions where processing data becomes necessary to protect your vital interests (or someone else’s vital interests), such as in line with our safeguarding policy

Who will we share data with?

During the course of our casework the SFO may share personal data either internally or with other individuals or organisations. This may be for the purposes of furthering the SFO’s investigations and prosecutions, as part of joint investigations, responding to requests for assistance, or as part of complying with our statutory duties to disclose information.

These recipients will include, but are not limited to:

  • Other UK or overseas law enforcement agencies
  • UK or overseas Government departments
  • The Court
  • Witnesses or interviewees
  • Expert witnesses, interpreters and other professional experts
  • Counsel
  • Financial institutions and regulatory bodies
  • Administrators and Liquidators
  • Other third party data holders in context of an investigation

We may also need to share data for non-law enforcement purposes, including to:

  • Service providers
  • Current, past and prospective employers
  • Local authorities or victim and witness support services
  • Government departments
  • Regulatory bodies

How long do we keep personal data?

Whilst held on SFO systems your personal data is subject to internal data retention policies.

The appropriate retention period for law enforcement data will be determined by the lifecycle of the investigation and prosecution, along with any outstanding actions or orders following its conclusion.

Where data is held for general purposes the SFO will only retain your personal information for as long as necessary. We will securely dispose of your data when it is no longer necessary to retain it.

How do we keep your data secure?

The SFO has put in place appropriate technical and organisational measures to safeguard and secure the information we collect about you. We have strict technical security standards and all our staff get regular training about how to keep information safe. In addition we limit access to your personal information to those employees, contractors and other third parties who have a business need to know.

Your rights as a data subject

Under the UK GDPR and DPA 2018 you have a number of rights in relation to the data we process about you. Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”)
  • Request rectification of the personal information that we hold about you
  • Request erasure of your personal information
  • Object to processing of your personal information
  • Request the restriction of processing of your personal information
  • Request the transfer of your personal information to another party

Please note that some of the rights listed above may be restricted. More information about your rights can be found on the Information Commissioner’s Office website.

We also sometimes need to request specific information from you to help us confirm your identity. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

If you wish to exercise any of your rights please email the SFO using the following email address: [email protected]

Complaints

If you wish to make a complaint about the way your personal data has been processed you should contact the SFO’s Data Protection Officer using the contact details on this page.

You also have the right to lodge a complaint with the Information Commissioner. You can contact the Information Commissioner’s Office at:

https://ico.org.uk/global/contact-us/

Address: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: +44 (0)303 123 1113

Updates to this page

Published 10 December 2024

Sign up for emails or print this page