This privacy notice explains how we use any personal information we collect about you.
Who is this privacy notice from?
You are a member of The People’s Pension Scheme (known as ‘the Scheme’) because you work, or used to work, for one of the many employers who use The People’s Pension as their workplace pension scheme. You may also be an employer, adviser or intermediary who has enrolled employees into the Scheme or looks after the account. As required by data protection law, this privacy notice gives you information from the two data controllers who use your personal data in the Scheme, namely:
- People’s Financial Services Limited (PFS), which is part of the B&CE Group (B&CE). B&CE has been providing workplace pensions to employers for over 30 years. The Scheme helps employers to comply with their duties under the government’s automatic enrolment rules. B&CE provides the services of B & C E Financial Services Limited to run the Scheme.
- The People’s Pension Trustee Limited (the Trustee), which is an independent corporate trustee that looks after all aspects of the Scheme. The Trustee ensures that the Scheme is run in the best interests of its members, and in line with the Scheme rules and the law.
In this privacy notice, when we mention B&CE we mean PFS in its role as a data controller and (where appropriate) the other companies in the B&CE Group involved with the Scheme.
What is this privacy notice about?
The privacy notice explains how B&CE and the Trustee will use any personal data they collect from you – as the member – or from the employer who has enrolled you into the Scheme. It also covers any personal data we collect from the employer, adviser or intermediary who has set up or looks after the Scheme. The notice also explains how B&CE and the Trustee will comply with data protection law.
The Trustee needs personal data about you and your employer to run the Scheme and pay benefits. In legal terms, the Trustee is a ‘data controller’ for this information. So, in this notice, the Trustee must explain some things about the personal data it holds, and your rights regarding the data.
B&CE needs personal data about you to provide its support and administration services to the Trustee. B&CE uses the data to act as a source of information for the Trustee, providing insight into the pensions and financial services market. B&CE does this through research on the Scheme’s customers, which the Trustee then uses to fulfil its governance and regulatory duties. B&CE also uses the research to help it communicate with members, to raise their awareness of the Scheme and its benefits, and to assess the suitability of options offered to members at retirement. Because PFS has some control over how it carries out its processing, PFS is also a ‘data controller’. So, B&CE also needs to tell you about the personal data it keeps about you, any processing activities it carries out separately from the Trustee and your rights regarding B&CE’s use of your data.
The privacy notice tells you about the personal data that B&CE and the Trustee hold. Each of them may hold different data, for different reasons. It’s important for you to understand that PFS and the Trustee are separate data controllers. This means they each take their own decisions about your personal data and how they use it.
However, in a few cases, they are joint data controllers, which means they take decisions together. Examples could include sending communications to Scheme members to raise their awareness of options available to them, or whenever the Trustee requires B&CE’s consent to pay a particular benefit under the Scheme rules.
For simplicity, the Trustee and B&CE give you just one point of contact. B&CE’s Group Director of Business Assurance is the appointed Data Protection Officer for B&CE and is responsible for monitoring B&CE’s compliance with data protection law. So if you have a question or complaint about the processing of your data, or if you wish to use your rights under data protection law, then you should contact B&CE’s Data Protection Officer. He or she can also liaise on your behalf with the Trustee.
What personal data do the Trustee and B&CE hold about you?
Information the Trustee holds
If you are a member, the Trustee holds the following types of personal data about you:
- Your name, date of birth, national insurance number, and employee unique ID.
- Bank account information if you make additional contributions to the Scheme by Direct Debit.
- Contact details, including your address, phone number and email address.
- If your benefits from the Scheme come from your employment, details of your employer when you were building up an account in the Scheme, how long you worked for them and your salary from time to time.
- Whether you are married or in a civil partnership and other information the Trustee may need to pay any death benefits concerning you.
- If your benefits from the Scheme form part of a divorce settlement, details of it.
If you are an employer, intermediary or adviser, the Trustee holds the following types of personal data about you:
- Primary contact name, company address and job title, email and phone number.
- Intermediary/adviser contact name, company address, email and phone number.
- Employer’s bank account information.
The Trustee may sometimes use other information about you. This could include information about your health if it is relevant to, for example, early payment of benefits from the Scheme, or details about personal relationships to help decide who should receive benefits on your death. Rarely, the Trustee may also have information about criminal convictions and offences if they are relevant to your Scheme entitlements.
Additional information B&CE may collect about you:
B&CE may also collect:
- information on how you use B&CE and The People’s Pension websites (such as your IP address, browser information and geographical location)
- information on how you use B&CE and The People’s Pension social media
- unique identifiers such as driver’s licence and passport numbers, which help to confirm your identity.
Where do the Trustee and B&CE obtain your personal data?
Some of the Trustee’s information comes directly from you. The Trustee may also get information (such as your salary and length of service) directly from your employer or their representative/adviser.
In addition, B&CE, which runs the Scheme on the Trustee’s behalf, may have got information from you and passed it to the Trustee. Sometimes the Trustee gets information from other sources: for example, another scheme if you have transferred benefits from that scheme; government departments such as HMRC and DWP; and publicly accessible sources (e.g. the electoral roll) if the Trustee has lost touch with you and is trying to find you.
Sometimes the Trustee will obtain your personal data from trustees of other pension schemes who are considering making a ‘bulk transfer’ of assets and liabilities from those other schemes into the Scheme. Before that kind of transfer could happen the Trustee would need to evaluate, negotiate and prepare for it. This would include testing that the personal data coming across is sufficient for the transfer to happen properly in accordance with the rules of the Scheme, checking for inaccuracies in the personal data, and checking whether there are missing parts to the personal data. This testing would be necessary for the legitimate interests of the Trustee in deciding whether or not to give effect to the transfer. The Trustee has carefully balanced its legitimate interests against your own rights and freedoms under data protection laws. The categories of personal data shared with the Trustee for this testing are as described in the section “Information the Trustee holds”. If the transfer doesn’t proceed after completion of the testing, the Trustee will return or destroy your personal data, unless a copy has to be retained to defend legal claims or for other reasons in relation to legal claims.
Personal data in beneficiary nominee forms will come from you as the member. Personal data about members’ dependants, other beneficiary nominees, and death-in-service nominees, will also come from you or your representative. If we ask you for other information in future (for example, about your health), the Trustee will explain whether you have a choice about providing it and any consequences if you don’t do so.
B&CE may receive personal data about you when you contact the B&CE group by doing any of the following:
- Registering to use your Online Account or contacting B&CE to manage your product or service.
- Applying for a product or service.
- Using its website, or social media.
- Contacting B&CE via webchat, phone, email, post or otherwise.
- Taking part in market research such as surveys and questionnaires.
- Attending worksite presentations, roadshows or other events.
- Participating in competitions and promotions run by B&CE.
- B&CE also works closely with several third parties, including anti-money laundering service providers, credit-checking companies, analytics providers, software providers or payroll providers, and regulatory authorities or government departments; and B&CE may receive information about you from them.
What is the legal basis for the Trustee using your personal data, including if the Trustee shares it?
The Trustee must by law provide benefits in line with the Scheme’s governing documents and must also meet other legal requirements when looking after the Scheme.
The Trustee will use your personal data to comply with these legal obligations, to establish and defend its legal rights, and to prevent and detect crimes such as money laundering and fraud. It may need to share your personal data with other people for this reason, such as courts, law-enforcement agencies and providers of anti-money laundering services.
The Trustee also has a legitimate interest in properly looking after the Scheme. This includes paying benefits as they fall due; buying insurance contracts; direct-debit instruction checks; communicating with you; and ensuring that correct levels of contributions are paid, that benefits are correctly calculated, and that the expected standards of Scheme governance are met (including standards set out in Pensions Regulator guidance).
To achieve this, the Trustee may share your personal data with various entities, including any new trustee directors; employers; any Scheme actuary appointed by the Trustee; B&CE (in various capacities) and its group of companies; the Trustee’s professional advisers; auditors; insurers; HMRC; the Pensions Ombudsman; and IT and data storage providers and other service providers (which can include mailing and printing providers for joiner packs, statements and other communications). If your benefits are transferred to another Scheme, the Trustee will also need to give the administrators of that Scheme information about you.
When the Trustee needs to use information about your health (or other very personal and private information), it may ask your consent (or ask B&CE to do this on the Trustee’s behalf). However, sometimes there may be reasons of public interest or law that enable the Trustee to use this information without consent. The Trustee will do this if it helps it to look after the Scheme sensibly. You can withdraw your consent at any time by using the contact details below. This may affect what the Trustee can do for you, unless it has another lawful reason for using your information.
The Trustee may also share your personal data with someone else if you have given your consent – for example, if you transfer your benefits out of the Scheme. Sometimes your personal data may be used for statistical research but only in a form that no longer identifies you.
How you can contact the other people the Trustee has given your personal data to
Some of the people mentioned above just use your personal data in the way the Trustee tells them. However, others may make their own decisions about how they use this information to perform their services or functions, or to comply with regulatory responsibilities as controllers in their own right. In this case, they are subject to the same legal obligations as the Trustee regarding this information.
The rights you have regarding your information apply to them too. If you want any more information from any of these recipients or to use any rights regarding the information they hold, please contact the Trustee and you will be put in touch with them. Alternatively, you can contact B&CE in its capacity as Scheme administrator and it will do what is needed on the Trustee’s behalf.
What is the legal basis for B&CE using your personal data including if B&CE shares it?
B&CE uses your personal data to run The People’s Pension Scheme on the Trustee’s behalf. This also includes:
- processing your requests and queries
- verifying your identity and carrying out anti-fraud checks
- carrying out business processes and relevant activities including auditing, business planning, accounting and transactions.
B&CE also has a legitimate interest in giving you high-quality service. Given the long-term nature of The People’s Pension and its customers’ lifecycle and changing needs, this interest extends to supporting your retirement journey and monitoring the suitability of the options you are offered at retirement. To do this, B&CE may process your personal data for the following activities:
- Sending non-statutory communications it has identified as relevant and beneficial to you and your needs.
- Keeping your details updated, and reconnecting with you if you change address.
- Training, and improving B&CE customer services – for example by recording telephone calls.
- Giving you additional information about your current products and services, and any products and services B&CE offers that are similar to and complement its current offering to you.
- Giving you information about other products and services you have consented to receive.
- Personalising the way information on B&CE and The People’s Pension website is presented to you.
- Advertising that promotes B&CE’s content and services to visitors over the internet or social media. People targeted by online advertising are anonymous to both B&CE and its marketing service providers.
- Certain telephone calls may be received by a third-party administrator on B&CE’s behalf. B&CE may also use Calling Line Identification information to provide its services, offer help, and improve its efficiency.
B&CE may share or disclose personal data when necessary to provide its services or conduct its business operations. When B&CE shares personal data, it does so in line with data privacy and security requirements. Sharing information enables it to better understand your needs and manage the product or service it provides to you in the most efficient way. If you want any more information from any of the recipients or to use any rights regarding the information they hold, please contact B&CE using the details at the end of this notice.
Below are the parties with whom B&CE may share personal data and why:
Within the B&CE group of companies
Personal data may be shared with other companies in the B&CE group to allow it to efficiently carry out various activities including administration, customer and technical support, legal and compliance purposes, marketing and business and product development. All B&CE employees and contractors must follow its data privacy and security policies when handling personal information.
Third-party service providers
B&CE provides personal data to these third parties when they need it to fulfil their services to B&CE. Their services include software, systems, and platform support which can include telephony and call recording services and opt-out portal service; print and mailing services; data-quality services; overflow call centre; investment management; customer research services; archiving and destruction services; auditors and actuaries; cloud hosting services; and data analytics.
B&CE third-party service providers are not permitted to share or use personal information that B&CE makes available to them for any other purpose than to provide their service. When B&CE outsources any process, it will ensure any supplier or contractor has adequate security measures in place.
Third-parties for legal reasons
B&CE will share personal data when it believes this is needed to comply with legal obligations and to respond to requests from government agencies, including law-enforcement and other public authorities such as regulators. Personal data may also be shared with your employer or their adviser but only as required to comply with pension or automatic-enrolment requirements.
Marketing from B&CE
B&CE will only use your personal data to manage your products or services and to communicate with you about information that may be of interest. However, sometimes B&CE would like to contact you with details of other products or services it provides. You can choose to receive these types of communications by contacting us – see ‘Managing your preferences with B&CE’.
Managing your preferences with B&CE
B&CE aims to ensure you only receive communications about information that is of interest to you or that enhances its services to you.
You can opt out of marketing or communications that are not required by law or not required to efficiently manage your product and service.
You may also opt out of certain data processing activities such as research and data analysis.
To do this, call B&CE on 0300 2000 555 (members) or 01293 586666 (employers and business advisers). Please note, calls are recorded for training and monitoring purposes. Or contact us online.
Children’s privacy and how the Trustee and B&CE will approach this
The Trustee may process personal data about children. But this is only likely if the children are named in a beneficiary nominee form or if they are otherwise going to receive benefits on your death. (B&CE may fulfil the same role in its capacity as Scheme administrator – acting on the Trustee’s behalf – but not as a data controller.)
If the Trustee finds personal data about a child/children in a beneficiary nominee form, the Trustee will (if necessary) issue its separate ‘child facing’ privacy notice to the child/children.
(The Trustee looks at such forms when it needs to use its discretion under the Scheme rules to decide who is a beneficiary after your death.) The ‘child facing’ privacy notice would be sent ‘care of’ the surviving parent or guardian if that is appropriate. The Trustee will usually only do this if it decides to make the award to the nominated child beneficiary – for example, if it is anyway going to write to the child (or the surviving parent or guardian) to give the Trustee’s favourable decision.
The Trustee may ask for consent (including from the surviving parent or guardian) to process the child’s personal data on the nominee form, where relevant. However, there may be reasons of public interest or law that enable the Trustee to use the personal data about the child nominee without consent. If possible, the Trustee will rely on those alternatives to run the Scheme in a sensible way.
For how long do the Trustee and B&CE keep your personal data?
The Trustee needs to keep some of your personal data long enough to make sure it can satisfy its legal obligations regarding the Scheme and pay any benefits due to you or concerning you.
The Trustee will keep your information for long enough to ensure that, if a query arises in the future about your benefits, it has enough information to deal with it if it has a legal obligation to do so. To meet this aim, most of the personal data that the Trustee holds will be kept for 15 years from the end of the Scheme year in which the last payment from the Scheme is made to you or in respect of you.
However, some information may be kept for more or less time depending on how long the Trustee sensibly thinks it needs it to deal with the Trustee’s legal obligations mentioned above, and any queries or complaints. (These may come from you or your beneficiaries/others who may ask the Trustee if they are entitled to payments.)
B&CE will keep and process your personal data for as long as necessary to comply with its legal obligations, resolve disputes, act as evidence of claims and relationships, and to enforce its agreements.
When B&CE no longer needs personal data, it will dispose of it in line with approved company processes. These will ensure all reasonable efforts and precautions are taken to protect the confidentiality of the data. If data is kept as evidence of the payment of a claim or transfer, it will be archived and reduced to the minimum information needed to allow identification and confirmation of the claim payment.
Keeping your personal data safe
When the Trustee passes your information to another person, it seeks to ensure that the other person has appropriate security measures in place to keep your information safe and to comply with general principles regarding data protection.
Some of the people (this includes organisations) that the Trustee shares your information with may process it overseas. This means your personal data may sometimes be transferred outside the UK and the European Economic Area. Some countries already provide adequate legal protection for your personal data. In other countries, additional steps will be needed to protect it.
You can contact the Trustee for more information about its safeguards for ensuring that your personal information is adequately protected in these circumstances (including how to get copies of this information). Alternatively, you can contact B&CE in its capacity as Scheme administrator. In this regard, B&CE will do what is needed on the Trustee’s behalf.
Customer Data held directly by B&CE is stored on secure servers in the UK. They do not transfer customer data outside the European Economic Area. B&CE holds data in various forms, including electronic databases and paper files. It takes all reasonable steps necessary to ensure your data is adequately protected and processed in line with this privacy notice.
The People’s Pension Scheme member and employer customer records are held on B&CE’s in-house IT systems. These records are also replicated at its UK based Disaster Recovery (DR) site, and additional data backups are also remotely stored in fireproof safes at a secondary UK site. The DR site is operated by a specialist provider in Data & Recovery Centres who adhere to multiple ISO standards including ISO27001.
B&CE work with third party suppliers during their business activities and it is sometimes necessary for these suppliers to receive and store data on B&CE’s behalf. B&CE does detailed checks (‘due diligence’) on these suppliers that includes detailed questionnaires about their information security, data protection and encryption policies and procedures.
The Trustee and B&CE
The Trustee and B&CE take data security seriously. Their data security policies and procedures are regularly reviewed internally and independently. A summary of their data governance processes is published externally. More details are available in The People’s Pension’s published AAF Assurance Report.
How you can help to keep your personal data up to date
The Trustee and B&CE need to ensure your personal data is accurate and up to date. Please tell them if your details change (for example, if you move address). In addition, you have rights under data protection law to have inaccurate personal data corrected and incomplete data completed.
For more details about your rights, please see below.
Your rights as a data subject against the Trustee and B&CE
The Trustee and B&CE
You have the right to lodge a complaint directly with the supervisory authority, the Information Commissioner who can be contacted on 0303 123 113. You may be asked to provide proof of identity when making these requests.
You have other rights under data protection law that you can exercise against the Trustee or B&CE but these do not apply in all circumstances. You can exercise those rights free of charge except in very limited circumstances, which will be explained to you if relevant.
For more information about all these rights, and how to exercise them against the Trustee or B&CE, please contact B&CE who will be able to tell you more.
Here are short descriptions of your rights:
Right of access – you have a right to request access to your personal data, to obtain confirmation that it is being processed, and to obtain certain prescribed information about how it is processed.
Right of rectification (correction) – in certain circumstances you have a right to ask for your personal data to be corrected if it is inaccurate, and completed if it is incomplete. Where your personal data in question has been disclosed to organisations, they must be informed of the rectification if possible.
Right to be forgotten – in certain circumstances, you can ask to have your personal data erased. It is unlikely to be possible to accept your request if, for example, the Trustee and/or B&CE (as relevant) has a legal duty to retain or process your information.
Right to restriction of processing – if certain conditions apply, you have a right to restrict the processing of your information. This includes when you contest it as being inaccurate (until the accuracy is proved); if you have objected to the processing (when it was necessary for legitimate interests) and the Trustee and/or B&CE (as relevant) is considering whether its legitimate interests override your own; if you consider that the processing is unlawful (and if this is true) so that you can oppose erasure and request restriction instead; or if the Trustee or B&CE (or both, if relevant) no longer need the personal data for the purposes they held it but you require one or both of them to continue to hold it to establish, make or defend legal claims.
Right of portability – in certain circumstances, you have the right to move, copy or transfer your personal data to another organisation or to yourself. This right is only relevant if personal data is being processed based on a consent (or for performance of a contract) and is done automatically. This right is different from the right of access (see Your rights as a data subject against the Trustee and B&CE above) and the types of information you can get under the two separate rights may be different. Using the data portability right, you cannot get all the personal data you can get using the right of access.
Right to object – in certain circumstances, you have the right to object to certain types of processing of your personal data when it is based on legitimate interests, when it is processed for direct marketing (including profiling relevant to direct marketing) or when it is processed for the purposes of statistics. Your rights to object may be relevant if you wish to find out more about what legitimate interests the Trustee or B&CE (or both) rely on (as are listed in their respective parts of this privacy notice) or about what profiling B&CE does regarding its direct marketing. Please note that the Trustee does not do direct marketing. Regarding B&CE only, you can adjust your preference settings by contacting B&CE.
Automated decision making – the Trustee does not make automated decisions. B&CE may profile your data for marketing and communication purposes, which you can opt out of. It does not do any automated decision-making that would produce legal or other significant effects on you. You can also withdraw consent if you have provided it and if this is being relied on as the legal basis for using your personal data – as previously described.
Changes to this privacy notice
This notice was last updated 19 May 2020. The Trustee or B&CE (or both) may amend this privacy notice from time to time to keep it up to date or to comply with legal requirements. If you have access to the internet, you should regularly check this privacy notice for updates. If necessary, you may be notified of changes. Your contact details (as previously described) would be used for this purpose, based on the legal basis of compliance with legal obligations or legitimate interests (or both, as relevant).
How to contact the Trustee and B&CE
If you wish to make a complaint, find out more information about how your personal data is being processed by or on the behalf of the Trustee or B&CE (or both) as your data controller, or exercise your rights, you can contact B&CE (below).
The Trustee is not required to appoint a Data Protection Officer. But to make things simpler for you, B&CE’s Data Protection Officer will act as a point of contact for data protection queries about both controllers by liaising with the Trustee on your behalf.
You can write to the Data Protection Officer, Risk and Regulatory Compliance Department, Manor Royal, Crawley, West Sussex, RH10 9QP.
For members of The People’s Pension – please email email@example.com or call 0300 2000 555. Calls are recorded for training and monitoring purposes.
For employers or advisers offering a B&CE product or service to your employees – please email firstname.lastname@example.org or call 01293 586666.