Privacy policy

Who we are

We are the Institute and Faculty of Actuaries (IFoA) and our subsidiaries: Continuous Mortality Investigation (CMI) Limited, ICA 98 Limited, and Institute and Faculty Education (IFE) Limited.  We are the chartered professional body dedicated to educating, developing and regulating actuaries based both in the United Kingdom and internationally

We are registered as Data Controllers with the Information Commissioners Office (ICO) in the United Kingdom:

The IFoA registration number: Z4899224

The CMI Registration number: ZA121735

Where we are based

We maintain offices in England, Scotland, China, Hong Kong and Singapore.

How you can contact us

For general enquiries, visit the contact us page.

For CMI specific enquiries: info@cmilimited.co.uk

For enquiries about this notice or your information rights: our Data Protection Officer can be contacted by:

Telephone: +44 (0) 131 240 1311

Email: data.protection@actuaries.org.uk

Why we need to process your personal data

Where we get your personal data

Depending on our reasons for processing your data the sources of this data may be:

• you;
• your current and previous employer(s);
• other actuarial organisations;
• educational bodies including schools;
• other regulators;
• employment agencies;
• credit reference agencies;
• your previous customers or suppliers;
• social media and the Internet;
• public records.

If you browse our website we may collect basic information about you via Google Analytics. For more information please see our Cookie Policy

The lawful basis for processing your personal data

The IFoA only process personal data where there is a lawful basis for doing so.  These are:

• legal obligation;
• contract;
• vital interest;
• legitimate interest;
• public task.

In line with our role as a regulator we may also process personal data where there is a substantial public interest.  This means we may process data without consent in order to protect the public from dishonesty, or in the investigation of malpractice, unlawful acts or improper conduct.

The types of personal data we process

Depending on our reasons for processing your data we may process your:

• contact details (i.e. name, previous name(s), current and previous postal addresses, work address, email addresses, phone number(s));
• marital status;
• education history and exam performance;
• employment history;
• professional interests;
• payments (to and from us);
• financial details;
• correspondence (to and from us);
• professional development;
• attendance at events;
• national insurance number or equivalent;
• passport / identity card number;
• health information;
• location of birth;
• criminal records;
• disciplinary records.

If you browse our website, we may capture and process:

• a unique machine-generated visitor ID;
• the date and time of your first visit, current visit, and total number of visits to the site;
• the number of pages visited;
• when your visit has ended;
• information about the traffic source (where you came from).

How we keep your data secure

Personal data received by the IFoA will be held in accordance with our information security standards.  When we share data with third parties we ensure the required technical and organisational controls are in place to keep the data secure.  When sharing personal data we use appropriate controls and safeguards.  These will be specified in our individual Data Sharing agreements.  Examples include only dealing with authorised individuals, adhering to internal policy controls and the use of secure file sharing portals and encryption.

Children's data

From time to time the IFoA processes the personal data of children.  This may be to facilitate entry to IFoA sponsored academic competitions, recognise excellence in mathematics at secondary education level or to keep aspiring actuaries up to date with relevant careers information.  When we do this the lawful basis is our legitimate interests as the chartered body for actuaries in the United Kingdom.  Children's data is kept securely at all times, processed in accordance with the Information Commissioner's Office 'Age Appropriate Design Code ('Children's Code') and available only to those employees that require access to it for their job.

When we share your personal data with third parties

We will share, where appropriate, your personal data with the following organisations:

• payment processors and our bank;
• exam centres holding exams on our behalf;
• organisations assisting with exam logistics such as marking platform providers, scanning services and plagiarism checking;
• the British Council;
• publishers;
• other actuarial organisations;
• electoral services providers;
• travel and accommodation booking service providers;
• credit reference agencies;
• employment agencies;
• your current and/or previous employer;
• courier delivery services;
• external legal advisors;
• third parties who supply the services that support the delivery of our publications, newsletters and electronic library services;
• if you're representing us in the UK or overseas and we are funding your travel, we may share  personal data about you with travel services, hotels and selected third parties only to facilitate your travel and attendance;
• members and lay-members via involvement in our boards, committees, working parties, member interest groups and regional societies;
• members and lay-members acting in roles as principle examiners, exam supervisors, other exam personnel, exam counsellors, independent examiners, subject matter experts, and investigating actuaries;
• tracing services, in relation to compliance and disciplinary matters; 
• Competent authorities - i.e. tribunals, courts, police forces, and other regulators such as the Financial Reporting Council (FRC), the Prudential Regulation Authority (PRA), the Pensions Regulator (tPR), or the Financial Conduct Authority (FCA).

Where we share your personal information with other regulators, this is part of our regulatory function, and extends to disclosures relating to disciplinary actions, as well as periodic auditing of our activity by competent authorities.  In line with our rules and byelaws, we will not seek your consent for these disclosures.

Illustrative examples of data sharing with third parties:

Social media

We have separate terms and conditions for our social media channels covering issues around data sharing with channel owners, content and behaviour.  These are available to review here

When we might transfer your information across borders

As an international body, to facilitate the delivery of regulatory objectives or services related to membership and learning we regularly transfer personal data across jurisdictions.

We routinely store or process personal data:

• within the UK; or
• within countries recognised as having an 'adequate' level of protection under UK GDPR; or
• within the EEA and countries recognised by the EU as providing an 'adequate' level of protection; or
• internationally to countries without an 'adequacy' decision using appropriate technical, organisational and contractual safeguards.

As required under EU GDPR our representative within the EU is 'Data Protection Representative Limited', 12 Northbrook Road, Dublin, Ireland, D06 E8W5.  You can access our representative services from any EU country, further details are here.

How long we retain your personal data

We only retain personal data for as long as legally required or as long as required by the objects in our Royal Charter.

We securely dispose of personal data when the retention period has expired.

Copies of our Records Retention Schedule can be requested via our Data Protection Officer: data.protection@actuaries.org.uk

When the use of your personal data is based on our legitimate interests

If we send you information based on our legitimate interests as a professional body such as professional newsletters, updates on our activity, Continuous Professional Development opportunities and notices of events you are able to opt out of receiving this at any time.

By Royal Charter, we are obliged to act in the public interest. Pursuant to our role as a regulator and the objects of our Charter you cannot opt-out of receiving certain types of regulatory and governance related information.

Your rights as a data subject

You have the right to:

• obtain a copy of any personal data we hold that is about you and not subject to any exemption in data protection law, including footage recorded on Closed Circuit Television (CCTV) systems where the IFoA is the Data Controller;
• correct any information we hold about you that is inaccurate or out of date;
• ensure we dispose of any personal data we hold about you (once all legal and regulatory record keeping requirements have expired);
• restrict the processing your personal data;
• object to us processing your personal data;
• erase your personal data, where we no longer have a lawful basis or valid operational reason for holding it;
• request we send all or some of the personal data we hold about you to another organisation.

If you wish to exercise any of your rights please contact the Data Protection Officer with your request: data.protection@actuaries.org.uk

If you’re unhappy with how we have used your personal data

In the first instance, please contact our Data Protection Officer so that we can deal with your enquiry.  If you are unhappy with how we deal with your concerns you have the right to make a complaint to a Supervisory Authority about how we process your personal data.

In the United Kingdom the Supervisory Authority is the Information Commissioner’s Office

We updated this notice on the 3rd of September 2021: 

• We updated our Privacy Notice to incoporate reference to 'adequacy' under UK GDPR for international transfers of data