This notice sets out how we handle personal data in the performance of our functions as the UK’s central bank – specifically within RCEP and External Sailpoint – which are associated with our provision of the RTGS/CHAPS services - and how we protect the privacy of the individuals whose data we process.

Related links

Cookies statement

Our general approach

•    We will handle personal data in the performance of our functions as the UK’s central bank
•    We collect personal data about business contacts, customers or staff of the firms we regulate, our staff or members of the public.
•    We will only process personal data in a way that is fair and lawful. When we need to process personal data, we will take appropriate steps to keep it secure
•    We will respect the rights individuals have in relation to data we hold about them

The Bank of England (‘we’ or the ‘Bank’) is the UK’s central bank. Our mission is to promote the good of the people of the United Kingdom by maintaining monetary and financial stability. This includes the provision of the RTGS/CHAPS payment and settlement services.

Further information about the Bank’s general approach is set out in the Bank’s privacy notice.

Information we collect
For a number of the activities that we undertake to achieve our mission, we need to process personal data. This includes data that relates to business contacts of those using, or applying to use, our RTGS/CHAPS services.  This information may be collected from you via email, documents you upload to RCEP, or information that you - or a colleague - input directly into RCEP (and may be passed to External SailPoint as the user management solution for CNI). The information is primarily business contact information. This includes where those contacts have, or will have, user access to systems that support RTGS/CHAPS. This may include name, email, address, phone numbers, and other identifiers as part of a SWIFT Distinguished Name. In some cases you – or a colleague – may provide us with personal mobile details to support contingency or remote working arrangements. In most cases, collection of your personal data is in the context of a contractual relationship with your employer – organisations who use, or are interested in using, the RTGS/CHAPS services. We require this information in order to contact you about the services provided, or to be provided.

How we use your personal data
We collect your personal data so that we can communicate with you about the provision of our RTGS/CHAPS services. This covers a range of functions including: day-to-day operations; testing; provision of statistics; invoking contingency arrangements; and policy and future service development. In most cases this is primarily to share information via email. In some cases, this relates to your attendance at one or more working groups or other types of meeting.

We also collect your personal data so, where applicable, you can access elements of the RTGS/CHAPS services. Your business email address is typically used to set you up with access to RCEP, External SailPoint and our extranets. Your name is also captured to support managing your access to these services including, in some cases, management by your organisations’ Principal Users.

Access to RCEP and External SailPoint is controlled - for internal and external users. The Bank uses layered information security measures to protect the data held.

The purpose of processing is to support the delivery of our RTGS and CHAPS services. Our legal basis is Article 6.1 (e): the performance of a task carried in the public interest or in the exercise of official authority vested in the controller. uses include:

There is no automated decision making or profiling of personal data.

We also need certain information to share with third parties – in particular, so that the CHAPS Direct Participants can contact each other directly including for managing issues such as returns, suspected frauds, and payment-specific queries. 

When we share data

In some circumstances, we may need to share personal data with other organisations.  Situations in which we may need to disclose personal data to a third party include:

•    to other CHAPS Direct Participants to enable employees of CHAPS Direct Participants to communicate directly with each other – this is based on information you - or a colleague - provide to us; 
•    with other members of working groups that you attend;
•    to other financial services regulators (for example, the Financial Conduct Authority) and other central banks as part of ongoing supervision or enforcement; 
•    to external auditors during audits or similar exercises;
•    with online meeting service providers to support the hosting of meetings (where the privacy statement of that provider will also apply); and
•    to third parties who provide elements of services for us (data processors). We have contracts in place with our data processors. This means that they will use personal data only in accordance with instructions provided by the Bank in order to deliver the agreed services. They will hold it securely and retain it for the period we instruct. 

We will only share personal data with others when we are legally permitted to do so. 

Specifically for CHAPS DPs, section 11 of the CHAPS Reference Manual sets out further information on Information Obligations including sharing with regulatory authorities; and section 13 sets out further information on data protection. Clause 15 of the RTGS Mandate Terms & Conditions set out further information on confidentiality obligations, including when we can share with other organisations. 

International transfers of personal data

For some of the purposes for which we need to process personal data, this may be transferred to other countries. Any transfers to third countries are either under an Article 45 adequacy decision or contractual clauses between the Bank and the third party under Article 46.3(a). UK data protection laws don’t allow organisations to transfer personal data outside the UK, except in circumstances that include:

•    where the recipient is located in an EEA country
•    where the recipient is located in a non-EEA country but the data protection regime in that country is considered "adequate" for the purposes of UK data protection laws; or 
•    where appropriate safeguards for the protection of personal data are in place.

In any instances where the Bank or an organisation acting on our behalf transfers personal data outside the United Kingdom, we will ensure this is carried out in compliance with UK data protection laws in order to protect personal data.

Emailing us

We monitor emails or other electronic communications with us, including any attachments these contain. We do this to meet the legitimate interests we have in ensuring the security of our networks and systems, for compliance and professional standards purposes, as well as in some instances where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of the Bank. Emails are scanned by Mimecast. You can read their privacy policy here: https://www.mimecast.com/company/mimecast-trust-center/gdpr-center/privacy-statement. Blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is lawful and appropriate.  Emails sent to us from outside the Bank are retained for legal and compliance reasons for 7 years.

Retention of personal data

We retain personal data for as long as is required for the purposes for which we collect it, and other purposes that are not incompatible with this. This is usually a maximum of 7 years, although we would continue to retain personal data in the case of an active and ongoing need such as where you continue to act as the appropriate contact for your employer.

If you are no longer in a role where the Bank needs this information, you can ask that we cease using your personal data by writing to us at rtgschapscomms@bankofengland.co.uk. Given the nature of the service provided, we would expect to be provided with alternative contact details for your colleagues so we can continue to contact your organisation about the services we provide. 

When determining retention periods, we will have reference to, amongst other things, whether we need to keep this for statutory or audit purposes. Details of the retention periods for different types of personal information are set out in the Bank’s Records Classification Scheme. Where possible, we will seek to anonymise personal information so that it can no longer be associated with the individual. When we have identified this is no longer required, we have measures in place to securely dispose of personal data.

Your rights

You have a number of rights under data protection laws (for example, you have the right to ask us for a copy of the personal data the Bank holds about you). This is known as a ‘Subject Access Request’. You can ask us to change how we process or deal with your personal data, and you may also have the right in some circumstances to have your personal data amended or deleted. To find out more about those rights, to make a complaint, or to contact our Data Protection Officer, please see our website at www.bankofengland.co.uk/privacy.

You have the right to lodge a complaint with the relevant UK supervisory authority: Home | ICO

The Bank’s Data Protection Officer

The Bank has appointed a Data Protection Officer, who is supported by the Privacy Team in the Bank’s Compliance Division, and whose role includes acting as a point of contact for individuals in relation to concerns around how their data is processed. You can contact the Bank’s Data Protection Officer at:
Bank of England
Threadneedle Street
London
EC2R 8AH