0151 448 5423
DATA PROTECTION NOTICE
Who are we?
We are the Trustees of the BCF Pension Trust (the Trustees, we or us). We collect, hold and use personal information to help us run the BCF Pension Trust (the Plan).
Why are we writing to you?
The Trustees are data controllers in respect of the personal information that we hold in relation to the Plan. Because we use your personal information, we have to provide you with certain information in order to comply with new data protection legislation set out in the General Data Protection Regulation (GDPR).
This notice contains information on:
• the personal information we collect about you, what we do with this information and why we hold it. This is explained in more detail in section one (see page 2).
• who else we get personal information from and who else we share personal information with. This is explained in more detail in section two (see page 5).
• what rights you have in relation to your personal information and who to contact if you have any problems. This is set out in section three (see page 6).
We have set out additional information on how and why we process your personal information (see page 7), your rights under the GDPR (see page 9), third parties with whom we share your personal information (see page 12) and an explanation of the key terms and phrases that are used in this notice (see page 13).
Where can I get more information?
This notice is at http://www.bcfpensiontrust.org/admin/Privacy-Notice. We also provide printed versions (including large print versions) on request.
This notice explains how the Trustees process your personal information. Please read this notice (and any other privacy information that we send to you) so that you are aware of how and why we are using your personal information.
We may change this notice from time to time. Please visit the webpage or contact us in order to receive the most up to date version of this notice. Our contact details are set out in section three of this notice (see page 6).
ABOUT YOUR PERSONAL INFORMATION
What information do we collect and process?
We collect and process your personal information because you are or were a member, or are or were connected to a member of the Plan. We also collect personal information if you contact us in connection with your membership of the Plan.
We collect and process the following categories of personal information about you:
• personal contact details – names, titles, addresses, telephone numbers and email addresses;
• information about you – dates of birth, gender, marital status, dependents and next of kin;
• payroll information – National Insurance numbers, payroll numbers, bank account details, tax status, salary and employment information; and
• pension benefits – information about the pension benefits that you have accrued, investment choices and death benefit nomination forms.
What sensitive personal information do we collect and process?
We usually only ask for sensitive personal information when it is required to help us make a decision in relation to your rights under the Plan. For example, we may request:
• health information / medical records – we may ask you to provide health information if you request payment of a benefit that can only be paid if you meet certain medical criteria (e.g. ill health early retirement benefits). In addition to receiving this information from you, we may receive medical information from third parties such as your doctor or a third party occupational health provider; or
• other sensitive personal information – we may ask you to provide other sensitive personal information (e.g. information about your personal relationships) if it is relevant to help us decide on an internal dispute resolution procedure.
In addition, certain categories of sensitive personal information (e.g. race, ethnicity, religious beliefs and sexual orientation) may be revealed on formal documentation that we process in order to identify the recipients of benefits under the Plan (e.g. birth certificates, marriage certificates, driving licenses and passports). You may also decide to provide us with sensitive personal information voluntarily (e.g. when raising queries or making a complaint).
How do we collect your personal information?
When you join the Plan, you and/or your employer provide personal details so that we can create your membership record.
This information is updated whilst you are a member of the Plan. Updated information may come from:
• you (e.g. if you get in touch to let us know a new address);
• your employer (e.g. updated salary and payroll information); and
• other third parties (e.g. if you contact the Plan's administrator to update your personal information or if HMRC provides us with information so that we can deduct the correct level of tax).
In addition, we may request additional information in certain circumstances (e.g. if you request to transfer your benefits to another pension scheme, if you apply for ill-health benefits or when you ask for your benefits to start being paid).
Why do we process your personal information?
We use this information to:
• set up your membership record for the Plan;
• manage your membership of the Plan;
• send you information that is relevant to your membership of the Plan;
• calculate, pay and settle any benefits that you are entitled to;
• comply with our legal and regulatory duties;
• help manage risks and liabilities in the Plan in order to seek to be able to pay full benefits as far as possible;
• help the Plan's sponsoring employers comply with their legal and regulatory duties;
• communicate with members with information about the Plan; and
• improve our information and knowledge of pension schemes generally.
What are our legal grounds for processing your personal information?
In order to comply with our legal obligations
As the Trustees of the Plan, we are under legal obligations to process your personal information in order to comply with pensions and other relevant legislation, the Plan's rules, court rulings and Pensions Ombudsman decisions. For example:
• legislation sets out certain things trustees must do (e.g. sending certain information to the Plan's members); and
• the Trustee is subject to fiduciary duties under trust law to act in line with the Plan's governing documentation.
It is necessary for us to process your personal information in order to comply with these legal obligations.
In order to fulfil our legitimate interests
Processing your personal information is also lawful if it is based on our 'legitimate interests'. The Trustees have a legitimate interest in running and managing the Plan and managing the Plan's risks and liabilities. In addition, certain third parties may have legitimate interests which require the processing of your personal information by the Trustees (e.g. your employer may need information in order to comply with regulatory requirements).
In order to rely on this legal ground, we have:
• considered the impact the processing has on your interests and rights; and
• implemented appropriate safeguards to ensure that your privacy is protected as far as possible.
What are our legal grounds for processing your sensitive personal information?
There are three legal grounds that allow us to process your sensitive personal information (sometimes referred to as special categories of personal data):
• when we obtain explicit consent from you (e.g. when you sign one of the Plan's forms which contains the appropriate consent wording);
• when processing is necessary for carrying out obligations under employment, social security or social protection law. This includes obligations under pensions law; and
• when processing is necessary for reasons of substantial public interest (which, under the Data Protection Act 2018, applies to certain processing by trustees of occupational pension schemes when making decisions about benefits).
What would happen if we did not collect and process your personal information?
If we did not collect and process your personal information then:
• we would not be able to manage or administer the Plan appropriately;
• we would not be able to pay the benefits that you are entitled to under the Plan; and
• we would be in breach of our legal and regulatory duties.
How long do we keep your personal information for?
The Plan was set up to provide benefits over a very long time. The Trustees need to maintain records in order to properly run the Plan, to determine who should receive what level of benefits and when they should receive them, and to respond to any disputes about an individual's rights under the Plan.
As a result, the Trustees will generally keep your personal information for the lifetime of the Plan plus 15 years (the longest period of time that someone can bring a claim against the Plan). Our service providers (and former service providers) may also have similar valid grounds to keep your personal information for such long periods.
USING AND SHARING YOUR PERSONAL INFORMATION
How do we keep your personal information secure?
We use a range of measures to safeguard your personal information, in line with the requirements set out in the Data Protection Legislation. These apply to both paper and electronic records. We also require our third party service providers to give certain assurances and agree to contractual terms in respect of data protection and the security of your personal information.
What do we do with any personal information that is provided by third parties?
We receive personal information from sources other than directly from you. This includes information shared by your Plan employer, the Plan's administrator, its professional advisers, service providers and other relevant third parties.
When we receive this information, we add it to the information we already hold about you in order to help us make sure that your details are as up to date and accurate as possible and so that we can manage your membership of the Plan and the Plan more generally.
Who do we share your personal information with?
For the purposes of administering and managing the Plan, managing its risks and liabilities, and paying benefits under it, the Trustees may need to share your personal information with third parties. This will include your employer (e.g. the payroll, finance, compliance, audit and HR teams).
It will also include third parties who provide advice or services to the Trustees. These third parties may include actuaries, administrators, auditors, insurers, prospective insurers, lawyers, medical advisers, and any other such third parties as may be necessary for the operation of the Plan and to enable the Trustees to carry out their duties.
We've set out a list of the third parties with whom we share your personal information together with links to their data protection and privacy information (see page 12).
Our suppliers and service providers who act as data processors must act in accordance with our instructions. Some of our suppliers and service providers also act as data controllers in respect of your personal information. We've included links to their online privacy information if you want to find out more about how they process your personal information.
In some circumstances, we may have to disclose your personal information by law, because a court or the police or other law enforcement agency has asked us for it. We may also need to pass your personal information to The Pensions Regulator or HM Revenue and Customs.
We may also share your personal data with the Plan's employers to enable them to carry out activities in their legitimate interests (this is usually in connection with managing their business from a regulatory, HR or finance perspective).
Sometimes, in order to improve our knowledge and information of pension schemes generally (so that we may improve our ability to run the Plan appropriately) we pool the personal data we hold with that of other pension schemes through third parties (for example, to obtain up to date and more accurate longevity data).
YOUR RIGHTS AND WHO TO CONTACT
What rights do you have in respect of your personal information?
In certain circumstances, you have the following rights in respect of your personal information:
• the right to object to us processing your personal information;
• the right to request access to personal information relating to you;
• the right to request that we correct any mistakes in your personal information;
• rights in relation to automated decision taking;
• the right to request to restrict or prevent processing of your personal information;
• the right to request to have your personal information transferred to another data controller (e.g. if you decide to transfer your pension benefits to another pension scheme); and
• the right to request to have your personal information deleted.
We've set out more information about these rights in part two of the additional information starting on page 9.
How will we respond to your request?
We will usually respond to any request that you make in relation to your rights within a month of receiving your request. If your request is particularly complex, we will let you know that we've received your request and let you know when we aim to respond. You can find out more about your rights under the UK's data protection laws at www.ico.org.uk.
Under the UK's data protection legislation, there are exemptions which mean that, in certain circumstances, we may continue to store, process or transfer your personal information (for example where we need to comply with a legal requirement or have a legally valid legitimate interest in doing so) even if you ask us not to.
What should you do if you have any questions or complaints?
You may be entitled to compensation for damage caused by breach of the Data Protection Legislation. If you do not think that we have processed your data in accordance with this notice, please contact us in the first instance (see 'How to contact us' below). If you are not satisfied, you can complain to the Information Commissioner's Office. Information about how to do this is available on their website at www.ico.org.uk/concerns or by calling their helpline on 0303 123 1113.
How to contact us
Please contact us if you have any questions about this privacy notice or the information we hold about you.
If you wish to contact us, please send an email to firstname.lastname@example.org or write to us at: Trustees of the BCF Pension Scheme, Rossmore House, Rossmore Road East, Ellesmere Port, CH65 3DA. Alternatively, you can call the Plan's helpline on 0151 608 1346.
FURTHER INFORMATION – PART ONE
MORE ABOUT HOW AND WHY WE PROCESS YOUR PERSONAL INFORMATION
|Category of personal information||What we use this information for||Legal ground(s) for processing||where we got this information from|
|Address||We use this information so that we can send you information that we are legally required to provide you with. In addition, we use this information to get in touch with you when we need to in order to run the Plan. Finally, we use it to send you information that we think will be relevant to you as a member of the Plan.||
We have a legal obligation to send certain information to members of the Plan.
In addition, we may send additional information to fulfil our legitimate interest of running the Plan.
This information is initially provided by you or your employer when you joined the Plan.
Your employer may share updated information if you update your records with HR. In addition, you may have updated your information by contacting us or the Plan's administrator.
If a member's details are not kept up to date, we may lose contact with that member. In these cases, we may use a third party tracing agent to obtain up to date contact information.
|Name and title||We use this information to identify you and to create and update your membership record in the Plan.||
We have a legal obligation to pay the correct level of benefits to the correct individuals. This requires us to obtain and update this information.
We also have a legal obligation to properly identify individuals who receive or may receive benefits from the Plan.
The Trustees are also required to comply with tax legislation and deduct the correct level of tax from benefits.
Processing this information also fulfils the Trustee's legitimate interests in running and managing the Plan.
|Date of birth and your Plan retirement date|
|Marital status||We use this information to help us decide who should receive what benefits from the Plan.|
|Next of kin|
|National Insurance number||We use this information to identify you and to create and update your membership record in the Plan. Your National Insurance number is also needed so that we can receive the correct information from HMRC and so that we can deduct the correct level of tax from your benefits.|
|Employment start and, if applicable, end dates|
|Plan reference number||The Plan's administrators may create a unique reference number so that your records can be easily identified.|
|Bank account details||We use this information in order to pay your benefits under the Plan directly to you.||Your bank details provided by you when you fill in your membership form and when you update your details.|
|Tax status||We use this information to deduct the correct level of tax from your benefits.||Your tax status is provided to us by your Plan employer and/or HMRC.|
|Salary details||We use this information to calculate the correct level of your benefits under the Plan.||Your salary details are provided to us by your Plan employer.|
|Details about your entitlement to pension benefits under the Plan||We use this information to calculate the correct level of your benefits under the Plan.||See the section above on the previous page.||Details about your entitlement to pension benefits under the Plan may be provided by your employer or may be determined by reference to the Plan's governing documentation. In addition, the Plan's actuary and administrators will carry out calculations, the results of which will be added to your record.|
|Investment choices||We use this information to ensure that your additional voluntary contributions and/or money purchase benefits are invested in the correct investment fund.||We have a legal obligation to ensure that the Plan is run properly and in line with its governing documents. There is also specific legislation that governs payment of contributions into money purchase investment funds.||We (or our third party providers) give you with information about the investment options that are available to you. You then provide us with your choices and any changes to your investment choices.|
|Death benefit nomination forms||We use this information as part of our decision making process when deciding who will receive death benefits.||As Trustees of the Plan, we have a legal obligation to make decisions in line with trust law. This includes an obligation to take account of all the relevant facts and ignore all the irrelevant facts when making decisions and exercising discretions. We also have a legal obligation to pay the correct level of benefits to the right individuals at the right time.||You provide us with the information that is contained on our death benefit nomination forms.|
|Medical information (including medical records and doctors' opinions)||We use this information as part of our decision making process when deciding ill health benefits under the Plan.||Medical information relating to you may be provided directly by you, by the Plan employer, your doctor or by a third party providing health assessments / reports.|
|Information about your personal relationships||This information is used to determine who is entitled to benefits in relation to your membership of the Plan.||This information is usually provided by you. In certain circumstances, we may also need to obtain information from relevant third parties.|
Certified copies of official documents, including:
This information is used to:
||As Trustees of the Plan, we have a legal obligation to make decisions in line with trust law. This includes an obligation to take account of all the relevant facts and ignore all the irrelevant facts when making decisions and exercising discretions. We also have a legal obligation to pay the correct level of benefits to the right individuals at the right time. Certified copies of official documentation are sometimes essential for the Trustee to make legally valid decisions.||This information is usually provided directly by you or from your next of kin. In more unusual cases (e.g. when we are having difficulty locating a member or identifying their next of kin) publically available official documentation may be obtained by a third party tracing agent.|
FURTHER INFORMATION – PART TWO
MORE ABOUT YOUR RIGHTS UNDER THE GDPR
As a data subject, you have a range of rights under the Data Protection Legislation. These rights are explained in more detail below. If you have any comments, concerns or complaints about our use of your personal information, please contact us directly.
You can email email@example.com or write to us at:
Trustees of the BCF Pension Scheme,
Rossmore Road East,
Alternatively, you can call the Plan's helpline on 0151 608 1346.
Right to object to our processing of your personal information
You may object to us processing your personal information where we are relying on a legitimate interest as our legal grounds for processing. Our legal grounds for processing are set out in section one of this data protection notice (see page 3) and part one of the further information (see page 7).
If you have the right to object to processing (i.e. for personal information that we process in order to fulfil our legitimate interests or the legitimate interests of a third party) and you exercise this right, we will no longer be able to process your personal information unless we can demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds as set out in section one of this data protection notice (see page 3) and in part one of the further information (see page 7).
The key point to note is that, if we cannot continue to process your personal information, we would be unable to ensure that we are providing the correct level of benefits in respect of your membership of the Plan. As we are legally required to pay the correct level of benefits to the right people at the right time, in these circumstances we may have to delay or even stop payments / requests until we have sufficient information.
Right to access personal data relating to you
You can ask us to confirm whether we are processing your personal information. If we are, you may ask us to provide the following:
• a copy of your personal information (please note that, if you want more than one copy of your personal information, we reserve the right to charge a reasonable fee based on our administrative costs for the provision of such further copies);
• details of the purpose for which your personal information is being, or is to be, processed;
• details of the recipients or classes of recipients to whom your personal information is, or might be, disclosed, including, if the recipient is based in a country outside of the European Union, what protections are in place in relation to the transfer to that recipient;
• the period for which your personal information is held (or the criteria we use to determine how long it is held);
• any information available about where we obtained your personal information; and
• confirmation as to whether we carry out any automated decision-making (including profiling) and, where we do, information about the logic involved and the envisaged outcome or consequences of that decision or profiling.
Requests for your personal information must be made to us in writing (see ‘How can you contact us?’ below). A copy of your request will be kept on your membership record. To help us find the information easily, please give us as much information as possible about the type of information you would like to see.
If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person if possible.
There are certain types of information which we are not obliged to disclose to you, which include personal information which records our intentions in relation to any negotiations with you where disclosure would be likely to prejudice those negotiations.
Right to correct any mistakes in your information
You can require us to correct any mistakes (including adding missing information) in any of the personal information concerning you which we hold. Please contact us using the contact details set out at the beginning of this section.
Rights in relation to automated decision taking/making
The Trustees do not generally use automated decision making or profiling.
Automated decision making occurs when decisions are taken solely on automated processes. Under the Data Protection Legislation, you have the right to ask that, if you are being evaluated (for example, when a bank carried out credit checks before making decisions on issuing loans or credit cards), any decisions are not solely based on automated processes and to have any decision reviewed by a member of staff.
These rights will not apply in all circumstances, for example where the decision is authorised or required by law and steps have been taken to safeguard your interests.
Right to request that we restrict the processing of your personal information
You may request that we restrict the processing of your personal information in any of the following circumstances:
• where you do not think that your personal information is accurate. In this case, we will start processing again once we have checked whether or not your personal information is accurate;
• where the processing is unlawful, but you do not want us to erase your information;
• where we no longer need the personal information for the purposes of our processing, but you need the information to establish, exercise or defend legal claims; or
• where you have objected to processing because you believe that your interests should override our legitimate interests. In this case, we will start processing again once we have checked whether or not our legitimate interests override your interests.
If our processing is restricted in any of the circumstances described above, we will inform you in advance if that restriction is to be lifted.
Right to request that we delete your personal information
You can ask us to delete your personal information where your personal information is being processed on a legal ground other than for complying with a legal obligation and:
• you believe that we no longer need to process it for the purposes set out in this privacy notice;
• you had given us consent to process it, but you withdraw that consent and there is no other legal ground upon which we can process it;
• you have successfully objected to our processing it; or
• it has been processed unlawfully or has not been erased when it should have been.
Right to request transfer of your personal information
You may, in specified circumstances, ask a data controller to provide you with an electronic copy of personal information that you have provided to it, or to have such a copy transmitted directly to another data controller.
Those circumstances do not, however, generally apply in relation our processing of your personal information in connection with the Plan. This is because:
• our legal grounds for processing will not normally be that you have consented to the processing; and
• we do not carry out processing by automated means.
Right to withdraw consent
We usually only request your consent when we ask you for sensitive personal data. You have the right to withdraw any consent you have given us at any point.
However, as highlighted above, the Trustees only request sensitive personal data that is required to make decisions in respect of specific member benefits or complaints. If you withdraw your consent for us to process this information, we may have to delay or even stop payments / requests until we have sufficient information.
What will happen if your rights are breached?
You may be entitled to compensation for damage caused by breach of the Data Protection Legislation. If you do not think that we have processed your information in accordance with this notice, please contact us in the first instance.
If you are not satisfied, you can complain to the Information Commissioner's Office. Information about how to do this is available on their website at www.ico.org.uk/concerns or by calling their helpline on 0303 123 1113.
FURTHER INFORMATION – PART THREE
THIRD PARTIES AND TRANSFERS
For the purposes of administering the Plan and paying benefits under it, the Trustees may need to share your personal information with certain third parties. This section lists the key third party service providers with whom we share your personal information.
|Role||Third party||Other information (if applicable)|
|Actuary||Hughes Price Walker|
|Administrator||HS Administrative Services Ltd|
|Legal advisers||Gowlings WLG||https://gowlingwlg.com/en/privacy-statement|
|Auditor||Duncan Sheard Glass|
|List any other key third party service providers who receive the Scheme's Personal Data||
Transfers of your personal information out of the EU
Your information may be transferred out of the European Union. Our service providers have confirmed that they either:
• do not transfer the Plan's data outside of the European Union; or
• do or may transfer the Plan's data outside of the European Union, but only when certain protections that are approved by the European Commission are applied. These protections aim to ensure the security of your personal information, safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.
FURTHER INFORMATION – PART FOUR
KEY TERMS AND PHRASES
Data controller means the natural or legal person or other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. This means that the data controller exercises overall control over the 'why' and 'how' of a data processing activity.
Data Protection Act 1998 is the legislation that currently applies to the processing of personal data in the UK. The Data Protection Bill 2017 – 19 will repeal the Data Protection Act 1998.
Data Protection Legislation means the Data Protection Act 1998, the Data Protection Bill 2017 – 19 and the General Data Protection Regulation, together with regulatory guidance issued by the European Commission (via the Article 29 Working Party) and the Information Commissioner's Office.
Data protection principles means the principles that are set out in the Data Protection Legislation relating to the processing of personal data. In the General Data Protection Regulation, there are six principles:
• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• storage limitation; and
• integrity and confidentiality.
In addition, there is an overarching principle of accountability.
Data processor means a natural or legal person or other body who processes personal data on behalf of the data controller.
Data subject means the identified or identifiable living individual to whom personal data relates.
General Data Protection Regulation (GDPR) is the primary EU legislation that, on and from 25 May 2018, will apply to the processing of personal data in all member states of the EU.
Information Commissioner's Office (ICO) is the UK's national data protection authority. It is a public body that is charged with regulating information rights, public sector transparency and individual's privacy in the UK.
Personal data or Personal information means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number etc.
Privacy notice means the information that is provided to inform individuals about what you do with personal data. Under the Data Protection Legislation, data controllers must provide accessible information to individuals about the use of their personal data.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special categories of personal data
(also referred to as sensitive personal data) means:
• personal data that is personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
• the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
• data concerning health; or
• data concerning a natural person's sex life or sexual orientation.