Rydym yn defnyddio cwcis ar ein gwefan. Trwy barhau i bori ar ein gwefan, rydych yn cytuno i ni ddefnyddio cwcis. Mwy o wybodaeth am gwcis Cuddio

Privacy notice and cookies

The Serious Fraud Office is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law. We must provide you with information setting out how we process your personal data.

What is personal data?

Personal data is data which identifies a living individual directly or indirectly, in particular by reference to an identifier such as their name, address or date of birth.

How are your rights protected?

Your rights are protected by either:

  1. The General Data Protection Regulation (GDPR) and Part 2 of the Data Protection Act 2018 (DPA); or
  2. Part 3 of the DPA.

The primary purpose for processing your personal data determines what law protects your rights and provides the legal basis for our processing activities.

Where the SFO processes your personal data for general purposes not relating to our casework, the GDPR and Part 2 of the DPA apply.

Where the SFO processes your personal data for law enforcement purposes in connection with our casework, Part 3 of the DPA applies.

Collection of personal data

The SFO collects personal data in many ways. Below are the primary examples:

  1. Correspondence and other forms of contact with the SFO for general purposes not relating to our casework.
  2. Online forms submitted through the SFO website.
  3. Correspondence and other forms of contact with the SFO for law enforcement purposes in connection with our casework including victim and witness needs assessments.

1.  Correspondence and other forms of contact with the SFO for general purposes not relating to case work

Personal data collected under this heading comes from a variety of sources including:

  • Job applications
  • Applications to join an SFO Counsel Panel
  • Communication concerning procurement and contractual matters
  • Sales enquiries
  • Media enquiries
  • Research enquiries
  • Communications concerning conferences and speaking engagements
  • Complaints
  • Freedom of information requests
  • Subject access requests
  • Emails to our Public Enquiries mailbox

Legal Basis for processing personal data

This type of personal data is processed under the GDPR and Part 2 of the DPA on the basis that the processing is necessary for the purposes of legitimate interests pursued by SFO (see Article 6(1)(f) of the GDPR) and in line with what can reasonably be expected when personal data is provided for general purposes.

These legitimate interests include processing job applications, securing goods and services for the SFO, responding to enquiries and requests, investigating complaints and for corporate administration purposes such as maintaining our records and accounts.

Personal data we hold

The SFO may hold the following personal data:

  • Name
  • Address
  • Email address
  • Telephone number
  • Copies of identification documents such as passport or driving licence
  • Any other personal information provided by you including about others

How we handle your information

The SFO holds personal data securely on our systems and it is then subject to internal retention policies.

Sharing your personal information

Personal information is generally only shared amongst officials within the SFO to process the matter for which it was provided.

We will occasionally forward personal information to external organisations in cases where assistance is required or the matter needs to be dealt with by another organisation. Notification and new contact details will be provided where a matter is transferred.

2.  Online forms submitted through the SFO website

There is a form on the SFO website for reporting serious fraud, bribery and corruption (the ‘online reporting form’) and from time to time we publish victim and witness questionnaires in connection with our casework.

Legal Basis for processing personal data

This type of personal data is processed for law enforcement purposes under Part 3 of the DPA. ‘Law enforcement purposes’ are defined under section 31 of the Act as follows:

‘…the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

When completing the online reporting form you will be asked questions about whether you consent to the sharing of the personal details you have provided but this is not the legal basis for processing.

You will be asked whether you give permission for the SFO Intelligence Unit to pass on your personal details to case teams in the wider organisation or to outside agencies. Where permission is withheld we will seek to respect your wishes but in rare circumstances there will be overriding obligations which mean your personal details have to be shared outside the Intelligence Unit.

Personal data we hold

The SFO holds the following personal data about you if provided when completing an online form:

  • Name
  • Address
  • Email address
  • Telephone number
  • Any other personal information provided by you including about others

These forms are sent securely to the SFO and your personal data is then deleted by the providers of this online service 30 days after submission of your form. The personal data submitted on the form is transferred into SFO systems within this 30 day period and stored securely in our systems. Your personal data is then subject to internal retention policies.

How we handle your information

Our information recording system is purpose built for receiving and storing sensitive information. Any information you send us through our website is encrypted immediately. Our processes for storing and handling information comply with the law and are in line with industry standards. These are:

When you contact the SFO to report serious fraud, bribery or corruption, it helps us to have your name and contact details – this means we can make better use of the information or contact you for further information. However you do not have to give us information about yourself and may keep your identity anonymous when making a report.

Sharing your personal information

Your personal data may be shared by the SFO Intelligence Unit with internal case teams or external organisations such as the police or other government departments. Examples include where the information may be relevant to a live criminal or regulatory investigation. As indicated above we will take into account your wishes when assessing whether or not to share but in rare circumstances overriding obligations will take precedence. If we are able to notify you about this, we will do so as soon as practicable.

Where information is passed to an internal case team or external organisation, they may wish to contact you directly.

Sometimes it may be necessary to pass your personal data to an overseas authority such as an equivalent investigator or prosecutor. Your data will only be passed in this fashion in accordance with the applicable law.

3.  Correspondence and other forms contact with the SFO for law enforcement purposes in connection with our casework including victim and witness needs assessments

Communication with individuals takes place throughout the lifecycle of an SFO case and this includes conducting needs assessments for victims and witnesses to ensure that appropriate support is provided.

Legal Basis for processing personal data

For the most part personal data collected under this heading will be processed for law enforcement purposes under Part 3 of the DPA. This includes taking statement and completing victim and witness needs assessments.

However, when making referrals to victim and witness support services the processing will take place under the GDPR and Part 2 and the legal basis will be for the performance of a public task (see Article 6(1)(e) of the GDPR) in accordance with the SFO’s duties as set out in the Code of Practice for Victims of Crime.

When completing a needs assessment you will be asked whether you consent to your information being shared with support services. Consent in this context should be read as consent for the provision of those services, rather than the legal basis on which SFO processes your data which is described above. We will however take your wishes into account when deciding whether to make a referral.

Personal data we hold

The SFO may hold the following personal information:

  • Name
  • Address
  • Date of birth
  • Email address
  • Telephone number
  • Name of an individual that a message can be left with in your absence
  • Medical conditions

How we handle your information

The SFO holds your data securely on our systems and is then subject to internal retention policies.

Sharing your personal information

The SFO will share the personal data of victims and witnesses with support services if required and where consent has been given. 

If you are asked to attend court to give evidence the SFO will share your personal data with the Witness Service at court to ensure the appropriate support is in place. For example, if you use a wheelchair we will inform the Witness Service to ensure support and easy access to the court room on the day.

The SFO will share your personal data with your consent to also obtain support in the community if required.  

Who is collecting your personal data?

The Director of the Serious Fraud Office is the data controller. Relevant details can be found here.

Privacy Statement

Our website does not automatically store or capture personal information but logs your IP address which is automatically recognised by the Web server. You may choose to give us personal information, such as your name and address or email address, which may be needed to correspond with you or to send you updates.

This information will be processed in accordance with the relevant legislation. Our anonymous reporting function allows you to send us information completely anonymously and confidentially. We do not log your IP address or any other details without your express permission.

Your rights e.g. access, rectification, erasure

Where you have given consent, you have the right to withdraw it at any time.

The data we are collecting is personal data, and you have the right:

  • To see what data we have about you
  • To ask us to stop using your data, but keep it on record
  • To have all or some of your data deleted or corrected
  • To lodge a complaint with the Information Commissioner (ICO)

For more information on SFO obligations under the DPA please refer to our Statutory Notice page. 


Cookies

To make this site simpler, we sometimes place small data files on your computer. These are known as cookies. Most big websites do this too. They improve things by measuring how you use the website so we can make sure it meets your needs. Our cookies are not used to identify you personally. They are just here to make the site work better for you.

Indeed, you can manage and/or delete these small files as you wish. To learn more about cookies and how to manage them, visit AboutCookies.org or Direct.Gov.uk; or please read on to find out more about how and where we use cookies.

How we use cookies

We use cookies in several places. We have listed each of them below with more details about why we use them and how long they will last.

Measuring website usage (Google & Twitter Analytics)

We use Google Analytics and Twitter analytics to collect information about how people use this site. We do this to make sure it is meeting its users’ needs and to understand how we could make it better. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. We do not collect or store your personal information (for example, your name or address) so this information cannot be used to identify who you are. We do not allow Google to use or share our analytics data. The following cookies are set by Google Analytics:

Name Typical content Expires
_utma randomly generated number used by Google Analytics to identify unique visitors 2 years
_utmb randomly generated number used by Google Analytics for general visitor tracking 30 minutes
_utmc randomly generated number used by Google Analytics to identify unique visitors when you close your browser
_utmz randomly generated number used by Google Anaytics to identify how our site was reached (for example, directly or through a link or organic search) 6 months

For further details on the cookies set by Google Analytics, please visit the Google Code website. Please see here for the Social Media Policy.