- Update: COVID-19
- Questions and Answers (Q&As):
- Why do we collect personal data?
- What is our legal basis for collecting personal data?
- What personal data do we collect?
- How do we use the personal data we collect?
- How do we share personal data?
- How do we protect your personal data?
- How long do we keep your personal data?
- Will your personal data be a public record?
- What rights do you have over the personal data we process?
- How can you access your personal data?
- Other information:
Due to the unprecedented circumstances of COVID-19, we are working hard to prioritise the delivery of our key functions and regulatory activities.
Public authorities may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of Subject Access Requests. Your statutory rights are important to us and remain unchanged. Please note, however, that you may experience delays in our response to your request. We will inform you of any extension to the period for responding and the reasons for the delay.
To enable us to respond to you as quickly as we can, we would ask that you narrow the scope of your request as much as possible. In addition, you may want to reconsider whether your request can be resubmitted at a later date once the impact of COVID-19 has eased.
We will be alert to any guidance from the Information Commissioner as the situation changes to ensure that we comply with any guidance or changes to information rights.
For more information on our response to Coronavirus (COVID-19), see https://www.iomfsa.im/covid-19/. For more information from the Isle of Man Government on Coronavirus (COVID-19), see gov.im/coronavirus.
The Isle of Man Financial Services Authority (‘the Authority’) is registered with the Isle of Man Information Commissioner as a data controller for the purposes of Isle of Man data protection legislation.
This policy explains what information the Authority collects about individuals (‘personal data’), its reasons for doing so and how it holds, uses and discloses that information.
Questions and Answers (Q&As)
We are responsible for regulating persons who carry on financial services activity in or from the Isle of Man. This includes businesses such as banks, insurers, investment businesses, collective investment scheme service providers, pension service providers, trust and corporate service providers, money transmission service providers and crowdfunding platforms.
Our main statutory functions are laid out in the following Isle of Man legislation:
- Financial Services Act 2008
- Collective Investment Schemes Act 2008
- Insurance Act 2008
- Retirement Benefits Schemes Act 2000.
We also have significant statutory functions under the following legislation:
- Beneficial Ownership Act 2017
- Designated Businesses (Registration and Oversight) Act 2015.
We exercise a variety of functions in order to help achieve our regulatory objectives, which are:
- Securing an appropriate degree of protection for policyholders, members of retirement benefits schemes and the customers of persons carrying on a regulated activity;
- The reduction of financial crime; and
- The maintenance of confidence in the Island’s financial services, insurance and pensions industries through effective regulation, thereby supporting the Island’s economy and its development as an international financial centre.
We need to collect and process personal data in order to exercise our functions appropriately. We may collect personal data directly from individuals or indirectly from other entities or agencies. The table below provides examples of ways in which we collect and process personal data:
|Personal data is collected from…||To enable us to…|
|People looking to carry on financial services activity||Authorise people to carry on financial services activity in or from the Isle of Man|
|People we regulate||Assess whether people we regulate comply with regulatory standards|
|Take appropriate action to supervise and enforce compliance with regulatory standards|
|Customers of people we regulate||Assess whether people we regulate comply with regulatory standards|
|Take appropriate action to supervise, investigate and enforce compliance with regulatory standards|
|People we register||Assess whether people we register comply with relevant standards|
|Take appropriate action to supervise, investigate and enforce compliance with relevant standards|
|People who use our website||Monitor use of the website to identify areas for improvement|
|People who use our web portals to submit regulatory information||Receive regulatory information electronically|
|People who subscribe to our electronic newsletter||Provide relevant information to interested parties|
|People who receive other services we provide||Provide services to help achieve our regulatory objectives, such as by hosting annual conferences or seminars|
|People who contact us||Respond to an enquiry or address a particular issue|
|People who respond to our consultations and surveys||Consider feedback and develop our approach accordingly|
|People who work on our behalf or from whom we receive goods or services||Provide online services, such as the Collective Investment Schemes FRS (Financial Resources Statement) website and Designated Businesses website|
|Carry out surveys on our performance and other areas of interest|
|Operate in an effective and efficient manner|
|People who apply to us for jobs, and current and former employees||To enable us to employ suitable candidates, manage existing employees and comply with our obligations as an employer|
We take our responsibilities under data protection law seriously and look to ensure that personal data is handled appropriately. The legal basis for our collecting, holding, using and disclosing personal data is covered by relevant legislation. To summarise the general position:
- We have statutory functions to fulfil as the Island’s financial services regulator
- We have statutory rights to request information, inspect and investigate people carrying on (or suspected of carrying on) financial services activity
- We have similar functions and rights in respect of designated non-financial businesses and the Island’s register of beneficial ownership
- Information we obtain for the purposes of exercising our statutory functions is ‘restricted information’, which includes both personal data and non-personal data
- Our legislation imposes a number of restrictions on the disclosure of restricted information in order to protect the people to whom that information relates and safeguard our ability to exercise our functions appropriately
- These restrictions are subject to certain exceptions to recognise situations where we may need to share personal data to enable us to exercise our functions appropriately.
Data we collect about legal entities, such as companies, in the course of exercising our statutory functions is restricted information but is not personal data as it does not relate to an individual.
In addition to the above, we are designated as a competent authority for the inspection and investigation of criminal matters identified whilst exercising our statutory functions. Personal data that is obtained for law enforcement purposes is protected under Isle of Man data protection legislation, however an individual’s rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.
We will only process your personal data if a lawful basis to do so exists. We may rely on:
- The need to meet a legal obligation in carrying out our statutory functions
- The need to meet a request you have made for information or a service
- The need to prevent or investigate suspected or actual violations of law
- The need to protect the public interest
- Your consent (in limited circumstances) – where we rely on your consent to process your data (such as your subscription to our electronic newsletter) you may withdraw your consent at any time by contacting the Data Protection Officer (see below)
- The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. For more information on retention by the Public Record Office please click here.
Where there is a legal basis for doing so, we may share your personal data with other regulatory authorities or law enforcement agencies to help either us (or them) to exercise our (or their) functions appropriately. Any personal data we share in this way is shared in accordance with the law and is limited to the type and amount of data we believe necessary in order to achieve our objectives.
The key statutory provisions regarding our handling of information may be found in the following legislation:
|Legislation||Key Information Provisions|
|Financial Services Act 2008||Schedule 2 – Inspection and investigation|
|Schedule 5 – Disclosure of information|
|Beneficial Ownership Act 2017||As under the Financial Services Act 2008|
|Collective Investment Schemes Act 2008||As under the Financial Services Act 2008|
|Designated Businesses (Registration and Oversight) Act 2015||Section 22 – Restrictions on disclosure of information|
|Schedule 2 – Exceptions to prohibition on disclosure|
|Insurance Act 2008||Section 46 – Restrictions on disclosure of information|
|Schedule 6 – Restrictions on disclosure of information|
|Retirement Benefits Schemes Act 2000||Section 43 – Restrictions on disclosure of information|
|As under Schedule 6 of the Insurance Act 2008|
We collect personal data about individuals involved in regulated financial services activity in the course of exercising our functions. These may be people who control a regulated firm, people who are employed by (or otherwise engaged by) a regulated firm to carry out certain roles, or people who undertake financial services activity in their own right. We also collect personal data about individuals with whom we interact with on a regular basis to meet our operational needs, such as those who provide us with goods and services.
The type and amount of personal data we collect depends on the circumstances. For example, where a person is seeking to carry on financial services activity, we use personal data to help us determine whether a person is fit and proper to carry on a controlled function within the financial services sector. Such data is necessary to help us assess a person’s integrity, competency and solvency. By contrast, where a person contacts us by email to ask a question, we only use personal data to the extent that it enables us to answer their question and help us to improve the work we do.
We generally collect the following types of personal data for the work we do:
- Identifying: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number
- Contact: such as telephone number, email address, physical address
- Professional: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references
- Financial: such as a person’s financial situation, solvency and any past declarations of bankruptcy
- Legal: such as being subject to current or past litigation, or being subject to successful investigation by a governmental, professional or other regulatory body
- Criminal activity: such as convictions and charges
- Authenticating: such as usernames, passwords and security details for access to our online services.
Under almost all circumstances, we do not collect personal data relating to special categories such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation. If we find that we hold personal data of this nature, we will take appropriate steps to delete that data and prevent it from being acquired in future. The general exception to this is health data we collect and maintain in relation to our staff for employment purposes. All such data is subject to appropriate operational safeguards.
We use the personal data we collect to enable us to exercise our functions as the Island’s financial services regulator in the most appropriate and effective manner. Our functions cover a broad range of activities but can be summarised into the following categories:
|We use personal data for…||To enable us to…|
|Applications for authorisation or registration||Determine whether people are fit and proper to carry on financial services activity|
|Fitness and propriety assessments|
|Supervising people we regulate or register||Assess whether people we regulate or register comply with relevant standards|
|Investigating people carrying on financial services activity||Help prevent and detect crime including fraud, money laundering, identity theft or other criminal offences|
|Enforcing compliance with regulatory standards||Take action against people who do not comply with regulatory standards|
|Developing regulatory policy, rules and guidance||Consult with relevant people to gain feedback on our proposals and develop our approach accordingly|
|Conducting surveys||Obtain feedback on our performance or other areas of interest|
|Responding to enquiries||Provide a response to an enquiry and communicate effectively with people|
|Communicating||Communicate effectively with people|
|Obtaining goods and services||Operate in an effective and efficient manner|
|Employing staff||Employ suitable candidates, manage existing employees and comply with our obligations as an employer|
In some cases, we have a statutory obligation to check and verify the data you provide to us (in application forms, annual returns etc.). This may include checks of publicly available information but in some cases, where it is necessary and relevant, the information you provide may be disclosed or shared with other organisations. This will only be done where there is a legal need for us to do so.
We look to ensure that we process personal data fairly and appropriately in accordance with the law in order to help maintain trust and confidence in the Authority. For example, we look to ensure that personal data we hold is accurate and up-to-date, relevant to our functions, not excessive, and is appropriately reviewed, maintained and destroyed when it is no longer required.
We do not make use of any automated decision making such as profiling in relation to the personal data we hold.
Personal data we collect when exercising our functions is ‘restricted information’ and subject to appropriate safeguards. However, we sometimes need to share information with other bodies acting in the public interest in order to exercise our functions effectively or to assist those bodies in carrying out their functions.
We make decisions to disclose personal data on a case-by-case basis subject to suitable controls within our organisation.
Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order.
The types of people who we may share personal data with are as follows:
|We may share personal data with…||To enable us to…|
|Other regulatory authorities in or outside of the Isle of Man||Determine whether people are fit and proper to carry on financial services activity|
|Assist them in determining whether people are fit and proper to carry on financial services activity|
|Law enforcement agencies in or outside of the Isle of Man||Determine whether people are fit and proper to carry on financial services activity|
|Assist them in conducting investigations about persons suspected of carrying out criminal activities|
|Courts or other judicial authorities on production of a valid court order||Exercise our statutory functions or discharge our legal responsibilities|
|Some government departments or agencies in or outside of the Isle of Man||Exercise our statutory functions|
|Assist them in exercising their statutory functions|
|Educational institutions||Determine whether people are fit and proper to carry on financial services activity|
|Professional bodies||Determine whether people are fit and proper to carry on financial services activity|
|Assist them in determining whether people are fit and proper to be members of that body|
|People we regulate or register||Communicate our assessment of whether people are fit and proper to carry on activity for that person|
|People who work on our behalf or from whom we receive goods or services||Provide online services, such as the FRS (Financial Resources Statement) website and Designated Businesses website|
|Carry out surveys on our performance and other areas of interest|
|Operate in an effective and efficient manner|
We take care to ensure that personal data shared with third parties will not be used for any purpose other than the original purpose for which it was shared.
The security and confidentiality of your personal data is very important to us. We maintain an Information Security Policy, which applies to all of the information we hold.
To keep your personal data secure, we will ensure that:
- safeguards are in place to make sure personal data is kept securely
- your data will only be held on servers that are under the control of the Cabinet Office, Government Technology Services and within the jurisdiction of the Isle of Man
- only authorised persons are able to view your data
- security of the systems which hold personal data is maintained in line with ISO27001 standard.
To protect your personal data, we will:
- keep your personal data safe and secure in compliance with our information security policy
- only use and disclose your personal data as detailed above, where necessary
- retain your personal data for no longer than is necessary and your personal data will be permanently deleted in accordance with our Record Retention Schedule. There is an authorisation process to dispose of this in line with the policy and retention periods, as outlined below (unless there is an overriding reason to retain this information).
Where we use service providers to provide a service which may involve personal data (such as to provide online services or conduct independent surveys), our terms of engagement will specify that that person may not use your personal data for any other purpose.
Please see our Whistleblowing FAQs to learn how we handle whistleblowing situations.
We keep all of the information we collect in accordance with our record retention policy. This policy states the minimum periods for which we will keep certain categories of information. We may keep information for longer than these periods, however where we do we will document the reason for doing so.
Our Record Retention Schedule sets out how long we hold information, including personal data.
The Authority is subject to the Public Records Act 1999, under which the Isle of Man Public Record Office preserves public records that are of historic and cultural significance. We are obliged to look after the records we hold and to work with the Public Record Office to determine records of any historic or long-term research value. Selected records may be transferred to the Public Record Office in accordance with the agreed Record Retention Schedule.
If selected, your personal data may be offered for transferral to the Public Record Office for permanent retention. This is likely to be rare, because records of significance will often be about the Authority itself or entities it regulates.
The contact details for the Public Record Office can be found on its webpage.
|You have a right to…||Explanation|
|Access your personal data to ensure that it is accurate and, if it is inaccurate, to request that it is rectified, blocked, erased or destroyed.||To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).|
|Withdraw your consent at any time in the limited circumstances where we process your personal data with your express consent (i.e. where you are not legally compelled to provide such information).||This applies to situations where you are not legally compelled to provide information, for example when you sign up to receive our electronic newsletter. It would not apply where you are required by law to provide information to assist us in exercising our statutory functions.|
Your rights may be limited where we are processing your personal data for law enforcement purposes, such as the inspection and investigation of criminal offences. We will be able to advise you if this is the case when you seek to exercise rights in relation to your personal data.
To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).
If you have any concerns about the way in which we collect or process personal data then we would like to know to see what we can do better. You can discuss your concerns with our Data Protection Officer.
If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.
|Data Protection Officer Contact Details|
|By telephone (main switchboard)||+44 (0)1624 646000|
Data Protection Officer
Isle of Man Financial Services Authority
PO Box 58
Finch Hill House
Isle of Man
People may commit an offence where they provide us with false or misleading information or fail to provide information when lawfully required to do so. The offences can be found in the relevant legislation, however generally they are as follows:
|A person who provides false or misleading information to us when lawfully required||Liable on conviction to a fine or custody of up to 2 years, or both.|
|A person who, without reasonable excuse, fails to provide information to us when lawfully required||Liable on conviction to a fine or custody of up to 2 years, or both.|
You can find out more information by:
- Contacting our Data Protection Officer (see above)
- Asking to see your information or making a complaint if you feel that your information is not being handled correctly by contacting our Data Protection Officer
- Making a subject access request which is a request for all of the personal data we hold about you by contacting our Data Protection Officer
- Obtaining this information in large print, braille, or in an alternative language by contacting our Data Protection Officer.