Guidance

Office of Financial Sanctions Implementation: Privacy Notice

Updated 28 March 2024

The Office of Financial Sanctions Implementation (OFSI) is the part of HM Treasury (HMT) which ensures that financial sanctions are properly understood, implemented and enforced in the United Kingdom. In carrying out its functions, OFSI processes personal data for which HM Treasury is the data controller. This notice sets out how HMT uses personal data for the purposes of ensuring that financial sanctions are understood, implemented and enforced in the UK and explains data subjects’ rights under the UK GDPR and Data Protection Act 2018 (DPA). More details on OFSI’s mission and functions can be found on our website: www.gov.uk/ofsi.

1. The types of data we process

Personal data means any information from which a living individual can be identified. The types of personal data we process can include:

• Names
• Addresses
• Dates of birth
• Financial details
• Employment details

Special category data is more sensitive personal data and we sometimes process special category data that reveals an individual’s:

• Racial or ethnic origin
• Political opinions
• Religious, cultural or philosophical beliefs
• Trade union membership
• Health
• Sex life or orientation

In addition, we sometimes process personal data revealing criminal convictions and offences.

2. How we obtain personal data

Some of the personal data we process is provided to us directly by the data subjects, for example, for one of the following reasons:

• Engaging with us as part of our function to ensure financial sanctions are properly understood, e.g.by sending us a query or as part of organising an event
• Applying for a licence to allow an otherwise prohibited transaction to take place
• Reporting a suspected breach of financial sanctions

We also receive personal data about data subjects indirectly, for example for one of the following reasons:

• Reporting to us that you have frozen funds belonging to a designated person
• The UN or Foreign, Commonwealth and Development Office (FCDO) may provide details of a designated person for OFSI to publish on the Consolidated List of Asset Freeze Targets
• Information may be provided by law enforcement agencies or government partners or identified, e.g. as part of an investigation into a suspected breach of financial sanctions

3. Why we process personal data

OFSI uses personal data in the performance of its public task to ensure financial sanctions are understood, implemented and enforced in the UK. This includes:

• Publicising the details of persons subject to financial sanctions to assist with the implementation of asset freezes
• Maintaining details of assets frozen in the UK
• Processing licence applications for derogations from an asset freeze
• Investigating and taking enforcement action on suspected breaches of financial sanctions
• Assisting the public and other stakeholders who contact us with queries about financial sanctions

The lawful basis that underpins our processing of the personal data we hold varies depending on the nature of the data we hold and our reason(s) for processing that data (see below).

3.1 Processing personal data for a law enforcement purpose

As an enforcement body, some of OFSI’s activities are for purposes of law enforcement – in other words, relating to the prevention, detection, investigation, or prosecution of criminal offences relating to breaches of financial sanctions legislation. OFSI investigates all suspected breaches of financial sanctions, and personal data processed as part of its investigations, and related activities related to its compliance functions will be done under Part 3 of the DPA. The legal basis for processing law enforcement data is section 35(2)(b) of the DPA: the processing is necessary for the performance of a task carried out for law enforcement purposes.

Where we engage in sensitive processing for these reasons, it is pursuant to the relevant provisions in section 35(5) of the DPA, read with paragraph 1 of Schedule 8 to the DPA.

3.2 Processing personal data for ordinary purposes

Processing of personal data as part of our functions that do not relate to the enforcement of financial sanctions under Part 3 of the DPA is processed under the UK GDPR. The legal basis for the processing of personal data for ordinary purposes will, in most cases, be under Article 6(1)(e) of the UK GDPR: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in OFSI.

This includes the publication of personal data relating to persons subject to financial sanctions, in the publicly available Consolidated List of Asset Freeze Targets. This is to assist screening and implementation of financial sanctions in the UK’s jurisdiction. OFSI also processes the personal data of designated persons, their representatives, their associates or other parties to a transaction, as part of considering applications for a licence to permit otherwise prohibited transactions. OFSI may also process the personal data of members of the public, for example, if they submit a query about the implementation of financial sanctions.

We also process personal data about individuals in the course of our administrative functions, e.g., for the purposes of staff administration and training/evaluation.

Where we process special category data (as defined in Article 9(1) of the UK GDPR), it is for reasons of substantial public interest (under Article 9(2)(g) of the UK GDPR) and in accordance with the requirements set out in section 10(3) and paragraphs 5 and 6 of Part 2 of Schedule 1 to the DPA.

Where we process data relating to criminal convictions and offences (as defined in Article 10 of the UK GDPR), it is in accordance with the requirement set out in section 10(5) of the DPA and paragraphs 5 and 6 of Part 2 of Schedule 1 to the DPA.

3.3 Data sharing

We sometimes need to share personal data with third parties for law enforcement purposes and to assist them in delivering their statutory functions. When we do this, it is with due regard to our obligations under the UK GDPR and DPA, including ensuring any disclosures are necessary and proportionate with necessary safeguards in place. This includes sharing data with:

• Law enforcement agencies (in the UK and overseas) to support the prevention of crime or for national security purposes
• Foreign, Commonwealth & Development Office (FCDO) and other government departments as necessary for them to deliver their statutory duties and public functions
• Sanctions committees of the UN for compliance with Security Council resolutions; and
• Other bodies or individuals where we are required to do so by law

3.4 Data security

We have appropriate technical and security measures in place to protect the personal data we process and we limit its access to employees, contractors and third parties with a business need to see it. We do not retain personal data for longer than is necessary for the exercise of our functions and personal data we hold is subject to regular review. Our retention schedules vary, depending on the nature of the data and the purpose for which we hold it. Personal data relating to designated persons is retained for the lifetime of the designation to support future decision making and enforce penalties.

We do not engage in any automated decision making and the personal data we hold is securely destroyed when no longer needed.

3.5 Data protection rights

Under data protection law, you have the following rights:

• The right of access - You have the right to ask us for copies of your personal data
• The right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
• The right to erasure - You have the right to ask us to erase your personal data in certain circumstances
• The right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances

Exemptions or restrictions to these rights apply in certain circumstances. For example, where personal data is being processed for law enforcement purposes, some of these rights may be restricted where it is a legitimate and proportionate measure to avoid obstructing an investigation or procedure, to avoid prejudicing our law enforcement purpose, to protect public or national security or to protect the rights and freedoms of others. If a restriction applies, we will inform you, except in cases where to do so would prejudice the purpose of the restriction.

3.6 To Make a Data Subject Access Request

Please direct data subject access requests to:

The Data Protection Team
Correspondence & Information Rights Team
Ground Orange
HM Treasury
1 Horse Guards Road
London
SW1A 2HQ

Email: DSAR@hmtreasury.gov.uk

For further information on data subjects’ rights, please visit the ICO website: https://ico.org.uk/for-the-public/

4. Our contact details

Office of Financial Sanctions Implementation
HM Treasury
1 Horse Guards Road
London
SW1A 2HQ
United Kingdom

Email: ofsi@hmtreasury.gov.uk

Web: www.gov.uk/ofsi

Please contact OFSI with any queries regarding our use of personal data in the first instance. Thereafter you can contact HM Treasury’s Data Protection Officer with any concerns about how HM Treasury handles your personal data: privacy@hmtreasury.gov.uk

You can also contact the Information Commissioner’s Office (ICO) if you are still unhappy with how we have used your data.

The ICO’s address:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Telephone: 0303 123 1113

Web: https://ico.org.uk/global/contact-us/