ERP Trustees Limited (the “Trustee”, “we, “our”) is committed to protecting and respecting your privacy. This Privacy Notice explains the types of personal information we collect, how we use that information and who we share it with in order to properly manage and administer the Plan, and also sets out how we protect that information.
Please read the following carefully to understand our views and practices regarding your personal information, and how we will treat it.
Who we are
We, the Trustee, are the ‘data controller’ for the purposes of data protection legislation. Our address is c/o Ensign Pensions Limited, The Beehive, Beehive Ring Road, London Gatwick Airport, Gatwick, West Sussex, RH6 0PA.
For members, beneficiaries or any individual with a query or complaint in relation to the Plan: The Trustee’s representative is Aegon UK plc, as administrator for the Plan, who may be contacted about any privacy questions you may have using the contact details below.
For employers: The Trustee’s representative is Ensign Pensions Limited, the Plan Secretary, who may be contacted about any privacy questions you may have at email@example.com.
Information covered by this Privacy Notice
This Privacy Notice covers all personal information collected and used by the Trustee. “Personal data” or “personal information” means information that (either in isolation or in combination with other information held by us) enables you to be identified as an individual or recognised directly or indirectly. This may include the types of information set out below.
What information do we collect from or about you?
Information we receive from you or your employer:
When your employer enrolled you into the Plan, they provided us with personal information about you as required by law. Your employer, or a third-party payroll provider chosen by your employer, will continue to provide us with personal information about you whilst you remain a member of the Plan and in their employment.
You, or your delegate, may also provide us with personal information about you when you correspond with us. This may be to inform us of a change of address or amend your nomination form.
The information we may receive from you, your delegate or your employer may include the following:
- Information about you, such as name, date of birth, sex, postal address, email address, phone number, bank details, national insurance number, HMRC details and passport number;
- Information about your health, such as in the context of ill-health application forms;
- Information about your family, such as current marriage and partnerships and marital history, details of family and dependants;
- Information about your employment history, such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, benefits, grants and insurance details.
Information we may collect when you visit our website:
- Technical information, including your IP address, browser type and version, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times, and download errors;
- Information about your visit, including the websites you visit before and after our website;
- Length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouseovers) and methods used to browse away from the page.
Information we receive from other sources:
If you are a Plan member, we may receive information about you from third parties. These could include another pension scheme if you are transferring in benefits, a third-party agency if we’ve lost contact with you, anyone entitled to benefit under your membership of the Plan, your next of kin or (with your consent) from registered medical practitioners.
Some of the personal information you provide may be sensitive personal information, such as details about your health in the case of an application for ill-health early retirement. In these circumstances, you will be asked to provide consent. This will enable the Trustee to process your sensitive personal information for the purposes set out in the form. Occasionally, where it is not possible to obtain your consent, we may alternatively process such sensitive information which we receive from third parties where this is necessary for the purposes of carrying out our obligations, the establishment, exercise or defence of legal claims, or exercising our or your specific rights under employment, social security and social protection law, or where this is necessary to protect your vital interests.
If you are a beneficiary under the Plan nominated by a member, we may receive information about you from a member who nominates you to be a beneficiary of the Plan. For example, a member may nominate you to receive lump sum death benefits in the event of their death.
How do we use your personal information?
We may use your personal information:
- To administer your personal accounts and provide benefits under the Plan. This may include tracing (in relation to members’ personal data)
- To deal with any enquiries from you and correspond with you about the Plan, including any changes to our services
- To pay benefits to members’ nominated beneficiaries
- To analyse and improve the activities, services and information offered by the Plan website
- For the purpose of keeping internal records
- To comply with legal requirements
- In connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets
How do we use personal information for this purpose?
- We will need to process your personal information to allocate pension contributions made by your employer to your personal account and communicate with you about your pension benefits.
- We may need to process and sometimes share your information to undertake a tracing exercise if we should happen to lose contact with you (e.g. to ensure you receive the correct benefits and reduce the risk of impersonation fraud).
- We will also need to process the personal information of staff at the employers of Plan members (e.g. business contact information) for the purposes of operating the Plan.
- We will need to use your personal information such as your contact details and information about your membership to communicate with you and assist with queries.
- We will also need to process personal information relating to staff at the employers of Plan members (e.g. business contact information) when we correspond with employers about the Plan.
- We process the personal information of members’ nominated beneficiaries where this is necessary to pay benefits to those beneficiaries in accordance with the member’s wishes.
- Sometimes we may need to collect and process information about a beneficiary’s health or sexual orientation (we will never ask specifically for information concerning sexual orientation, but it may sometimes be possible to infer this from the information provided about the beneficiary, such as their name and relationship to the member). Where we collect this information, we will ask members to confirm that they have beneficiaries’ consent to provide it to us.
- We may collect technical information, such as your IP address, operating system and platform or conduct surveys of your experience on our website.
- We will keep records of your personal information, such as your name, national insurance number, records of your salary and details of your dependants in order to administer the Plan. We will also keep your contact details on record in case we need to provide you with any information on the Plan.
- We may need to process personal information to comply with legal requirements to which we are subject (e.g. providing annual benefit statements).
- If the business of any employer participating in the Plan is reorganised and/or sold by way of a share sale or business transfer, we may need to share information in this context to ensure that the Plan is taken into account.
What is the legal basis for us processing your information in this way?
- It is necessary in our legitimate interest to use your personal information for the purposes of administering members’ personal accounts and paying member’s benefits.
- The processing of your personal information may also be necessary to comply with the Trustee’s legal obligations under the Plan’s Trust Deed and Rules and under pensions legislation to provide members with information about their retirement benefits.
- We may rely on your consent to collect sensitive information about you (e.g. in relation to ill-health applications).
- It is necessary in our legitimate interest to use your personal information for the purposes of administering the Plan in order to pay each member’s benefits.
- It is necessary in our legitimate interest to process personal information concerning nominated beneficiaries in order to pay benefits to those beneficiaries in accordance with a member’s wishes.
- Where making payments to beneficiaries involves collecting and processing information about a beneficiary’s health or information from which their sexual orientation could be inferred, we will ask members to confirm they have the beneficiary’s consent to provide us with this information.
- It is necessary in our legitimate interest to ensure that content on the website is presented in the most effective manner for you and your computer for the purposes of administering the Plan and paying each member’s benefits.
- It is necessary in our legitimate interest to keep records of your personal details and any correspondence with you for the purpose of administering the Plan and paying each member’s benefits.
- It is necessary for the establishment, exercise or defence of legal claims to store some sensitive personal information (such as historic ill-health application forms) in the event of a future query.
- It is necessary for us to process certain personal information for the purposes of complying with legal requirements to which we are subject.
- It is necessary in our legitimate interest to share personal information in this way in order to facilitate the operation of the Plan.
Who may use your personal information?
We share your personal information with third parties, where this is necessary to administer the Plan and/or comply with contractual obligations relating to it.
We share your personal information with the following third-party organisations:
- Ensign Pensions Limited
Ensign Pensions Limited provides certain pensions management, executive and secretarial services to the Trustee and will require access to your personal information in order to carry out those functions. Ensign Pensions Limited will process your personal information on our behalf as our data processor.
- The Plan’s administrator
We have appointed Aegon UK plc as administrator for the Plan (we may change this appointment from time to time, in which case we will update this notice) (the “Administrator”). The Administrator carries out the pensions administration services on behalf of the Trustee and will require access to your personal information in order to provide ongoing administration of your personal account. It will also perform other activities such as responding to requests or complaints and providing information to members, and so will require access to your contact details. The Administrator will process your personal information on our behalf as our data processor.
- Participating employers of the Plan
This may include your former, current or prospective employer. Your personal information will only be shared with these entities to the extent that this is necessary for the administration of your pension benefits.
- Other third-party service providers
In certain circumstances, we share your personal information with third-party organisations such as auditors and legal advisors who may also be data controllers in relation to your personal information.
Other third-party organisations such as investment consultants may also process personal information on our behalf as data processors. We ensure that your information is kept secure by checking that their security measures are adequate and by entering into agreements with such third parties which specify that they must only process personal information on our behalf and according to our instructions. A list of advisors to the Plan, with whom we may share your personal information, can be found on the Plan website at http://www.ensignretirementplan.co.uk/advisers.html.
- Third parties permitted by law
In certain circumstances, we may be required to disclose or share your personal information in order to comply with a legal or regulatory obligation (for example, we may be required to disclose personal information to the police, local or foreign regulators or to judicial or administrative authorities).
We may also disclose your personal information to third parties where disclosure is both legally permissible and necessary to protect or defend our rights or protect your rights or those of the public.
Any personal information held by us and any third-party will be treated as confidential. We will not sell your personal information to third parties.
Where we store your personal information
The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). In particular, some of the personal data we collect may be transferred to and stored in India. Your personal data may also be processed by staff operating outside the EEA who work for us or for one of our service providers. We will take all steps necessary to ensure that your personal information is treated securely and in accordance with this Privacy Notice and applicable data protection laws, including, where relevant, entering into EU standard contractual clauses (or equivalent measures) with the party outside the EEA receiving the personal information.
You have the legal right to request details of the personal information that we hold about you, to ask us to stop processing your information where you have previously consented to us doing so, to have it corrected or deleted in certain circumstances, and not to be contacted by us if you do not wish to be.
Your right to access the information we hold about you
You can request access to the information we hold about you by contacting us using the contact details set out below. Our file of your information will usually be made available to you within 30 days, although occasionally we may not be able to give you access to the personal information we hold about you (for example, we may not be able to give you access if it would unreasonably affect someone else’s privacy or if giving you access poses a serious threat to someone’s life, health or safety). Please note that we may apply an administrative charge for providing access to your information in certain circumstances. Any such charge will be reasonable and we will advise you of the charge and obtain your consent before providing you with access to your personal information. Please note that if you request a copy of your data using electronic means (such as email), then we will provide a copy of your information in electronic form unless you ask us to do otherwise.
Your right to have your information corrected or deleted
If any of the information we hold about you is inaccurate or out of date, such as the information included in your benefit statement, or you would like it deleted, please email your request to firstname.lastname@example.org and we will consider your request as soon as possible.
Your right to object to us processing your personal information
Where the legal justification for our processing of your personal information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
Your right to restrict processing of your personal data
You have the right to restrict our processing of your personal information where you believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose, but where we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
Your right to have your personal information transmitted to another organisation
Where we hold personal information about you that you have provided to us or that has been generated by your activity as a member of the Plan, and we hold this information with your consent, you have the right to ask us to provide you with the personal information we hold about you in a structured, commonly used and machine-readable format and, where technically feasible, to transmit that personal information to another organisation.
Your right to withdraw consent to your data being processed
If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge.
Making a complaint
We would be happy to address any concerns you have directly and as a first port of call. If you believe that we have not complied with applicable data protection laws and you have a need to escalate your complaint, you have the right to lodge a complaint with a local data protection authority in the EEA.
The address for the UK data protection authority is as follows:
Information Commissioner’s Office
Water Lane, Wilmslow
Cheshire, SK9 5AF
Tel. +44 1625 545 745
If you have any questions or concerns about how we treat your personal information, you wish to ask us to stop processing your personal information, or you would like to request a copy of the personal information we hold about you, please contact the Administrator at email@example.com or by writing to us at:
Aegon Workplace Investing
PO Box 17486
Please include your reply address when you write to us.
How long do we keep your personal information?
Your personal information is stored by us and/or our service providers strictly to the extent necessary for the performance of our obligations, and for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws and our data retention policy. In the context of providing pension benefits, this period is extensive. We will typically store your personal information for the life of the Plan (or, in the event that the Plan were to wind up, for 15 years after such time). Retention of your personal information enables us:
- to process and pay your benefits and benefits that may be payable after your death;
- to respond to queries from members or your beneficiaries about your correct benefit entitlement, which queries may be received many years after members have transferred out or taken a refund of contributions or made elections to change their benefits; and
- to respond to legal claims.
When we no longer need to use your information, we will remove it from our systems and records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).
How do we keep your personal information secure?
Any information held by the Trustee is stored electronically within a secure portal. Your informatio is protected through the use of password protection, user access restrictions and encryption.
The Trustee take steps to confirm that any third-party service provider that collects and stores personal data, whether in hard copy or electronic format, on behalf of the Trustee, acting as processor, has taken appropriate technical and organisational steps to ensure the security of your personal data. Such measures may include holding hard copy data in physical storage units with appropriate security restrictions or, in relation to personal information held electronically, password protecting computers and laptops and using secure portals for the transfer of documents.
As part of these security measures, you will be required to give proof of your identity before any personal information is disclosed to you.
Changes to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, regulatory or operational requirements. We will notify you of any such changes (including when they will take effect). Your continued participation in the Plan after any such updates take effect will constitute acceptance of those changes.
25 May 2018