Good information handling is integral to what we do. We understand that our customers not only trust us with their finances, but also expect us to do the right thing with their information.

We take privacy and the protection of customer, client and staff data very seriously and our colleagues across the bank continue to work closely together to ensure the bank protects the information it holds. We endeavour to ensure we balance protecting customers' information, while also giving them options as to how they want to share and access their information (for example, the ability to use third-party aggregation apps).

The bank has continued to update its processes and procedures to ensure its ongoing compliance with the General Data Protection Regulation (GDPR) and local legislation. We also continue to monitor closely the impact of the Brexit negotiations on our privacy obligations and cross-border data flows. In addition to this, we are liaising with industry bodies as appropriate.

We continue to maintain a close and open working relationship with our privacy regulators, including the Information Commissioner's Office (ICO) in the UK. The bank engages with the ICO proactively, liaising with the regulator on key projects and developments.

We care about being transparent and ensuring our customers can access the information we hold about them. We have seen a significant increase in the use of Subject Access Requests to gain information about PPI compared to 2018, with the bank receiving an average of 3 million requests per month. This was anticipated with the deadline for PPI claims being set for 29 August. The volume of non-PPI related SARs has remained relatively steady following the GDPR coming into force in May 2018 which has a strong focus on empowering individuals to take control of their data and hold organisations to account for their data processing practices.

The GDPR also introduced a number of subject rights. However, we have continued to receive a relatively low volume of requests concerning, for example, objection to processing, erasure and data portability since 25 May 2018. This was also anticipated.

The number of Requests for Assessments (RFAs) that the bank has received from the ICO, considering the overall size of our customer base, remain very low, including in particular the number of complaints that are ultimately upheld by the ICO. We believe that the increase in RFAs reflects the increase in complaints that the ICO has received since the GDPR came into force and the increase in awareness of privacy laws and rights that it brought.


General Data Protection Regulation (or GDPR)

The regulation contains the framework which regulates the processing of personal data within the European Union, setting out the ways in which information about living individuals may legally be collected, used and handled.

Information Commissioner’s Office (or ICO)

The ICO is the UK’s independent authority, set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 

There are equivalent regulators in other EU Member States.


Payment Protection Insurance is a type of insurance product that enables a customer to insure repayment of credit should the customer become unable to make payments (e.g. through illness or loss of employment). The deadline for PPI mis-selling claims was 29th August 2019.

Requests for Assessment (or “RFA”)

The ICO may issue a Request for Assessment to organisations if it has concerns about that organisation’s compliance with applicable data protection legislation (e.g. if a customer makes a complaint).

Subject Access Request ( or “SAR”)

A SAR is a request from an individual to see the personal information an organisation holds about them. Organisations must provide the information subject to very limited exemptions. In the UK, organisations must currently provide the information within one month of receipt of the request.