Updated February 2020
Who are we?
This Policy applies to all members (both active and deferred), former members, employers, advisers and beneficiaries of the workplace pension scheme (the Scheme). It also applies to visitors to our websites and other individuals who contact us or interact with us through our websites.
If you would like further information on our pension products you can visit https://www.autoenrolment.co.uk/.
Platform as a Service (PaaS)
If you would like further information about our platform as a service, please visit https://www.smart.co/.
For information specific to members, please visit https://www.member.smart.co/.
Data Protection Laws
In this Policy, the ‘Data Protection Laws’ means the General Data Protection Regulation (the GDPR) together with all other applicable legislation relating to privacy or data protection in force from time to time. You should share this Policy with your family and dependants where you have provided us with personal information about them (and where it is reasonable to do so).
Who is the Controller and the Processor?
As defined by the GDPR, a Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
A Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Smart Pension and the Trustee are both Controllers for the purposes of the Data Protection Laws.
This Policy explains how Smart Pension, Smart Governance Limited (SGA) and Smart Pension Master Trust (the Trustee) of the Scheme, uses and protects the personal information that they hold about you.
Smart Pension is a Controller in respect of the Scheme data. It is registered with the Information Commissioner’s Office (ICO) registration number ZA070575 and provides the platform (the Smart Pension Platform), propositions and services for members and employers, and provides Data Protection Officer (DPO) duties on behalf of the Scheme, including the delivery of your rights in relation to your personal information.
The Trustee is responsible for governance in relation to the Scheme. The ICO registration number is ZA135972.
SGA is registered as a Controller and the ICO registration number is ZA655267. SGA is responsible for the administration and servicing of the Scheme.
Contact details for Smart Pension and the Trustee are set out at the end of this Policy.
What is personal information?
Personal information broadly means information that identifies (or which could, with other information that we hold or are likely to hold) a living individual. This includes any information provided to us by or on behalf of you, the Scheme's employers or HM Revenue & Customs (HMRC) in relation to your membership of the Scheme.
What types of personal information about you might we hold?
We collect and process the information about you that you provide:
- By filling in forms on our website, whether when you register with us, request information, report problems or require additional services.
- By corresponding with us and our service providers (such as by the secure mail in your account area, email, letter, text, phone or otherwise).
- In response to a survey request.
- Through your distribution of any referral or affiliate link.
We also collect and process information about you that is provided to us by the Scheme's employers or by HMRC. We may hold and process any or all of the following personal information about you:
- Personal details such as your name, gender, age, date of birth, contact details (e.g. your address and postcode, email address, telephone and mobile numbers), and identifiers such as your national insurance number, pension or member reference number and employee number (where applicable).
- Details of your family, lifestyle and social circumstances. This could include details about your current marriage or civil partnership, any previous relationships and details of your family and dependants.
- Employment details such as your earnings, length of service, employment and career history, recruitment and termination details, absence record, job title and job responsibilities.
- Other financial details such as any other income, other pension arrangements, bank account details (e.g. to process pension payments) and your tax code.
- Information about your physical or mental health (where there is a legal basis for the processing of such data under the Data Protection Laws).
- Information about criminal convictions if these relate to money owed to the Scheme's employers in circumstances where they are entitled to be reimbursed from your benefits.
Platform as a Service (PaaS)
- We will host PaaS client data on the Smart Pension Platform and will do so in the capacity of a Processor in order to provide maintenance and support services.
Additional information Smart Pension may hold about you
Why do we hold this information?
We hold your personal information because we need it to administer the Scheme. Without your personal information, we cannot provide you and your dependants with the correct benefits, at the right time. For example, we may need this information to verify your membership of the Scheme, to calculate your pension or to assess whether you are entitled to a specific benefit or how the tax rules apply to you.
We may use unique identifier information, such as your national insurance number, passport number, pension or member reference number and employee number (where applicable) for the purposes of sending communications to you and verifying your identity.
In some instances, we may need to hold and process information relating to your physical or mental health, for example if you are applying for a pension on grounds of ill-health. We will ask for your explicit consent to this, unless there is an alternative legal basis for processing this information under the Data Protection Laws. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
Smart Pension holds your personal information in connection with its role as provider of the Scheme, for example, it may need this information to process your queries, verify your identity or carry out business processes. Smart Pension may also provide you with information in relation to other products and services available on the Smart Pension Platform which you have asked for or which we think may be of interest to you.
Using your information in accordance with the Data Protection Laws
Data Protection Laws require us to meet certain conditions before we are allowed to use your personal information in the way described in this Policy.
Smart Pension and the Trustee rely on a condition that allows us to use your personal information to comply with our legal obligations in relation to the Scheme.
We will keep the amount of personal information collected and the extent of any processing to a minimum.
We will only process 'sensitive' or 'special categories' of personal information under the Data Protection Laws (e.g. information about your health) where you have explicitly consented to this or where there is an alternative legal basis for processing this information under the Data Protection Laws (e.g. it is required by law). This may mean that you will be asked to sign consent forms in the future. If you don't consent to our processing this information when asked to do so, it may mean that we are unable to pay benefits to you or your dependants. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
We will only process information about criminal convictions if these relate to money owed to the Scheme's employers in circumstances where they are entitled to be reimbursed from your benefits and either you consent to this or the processing is necessary for the exercise of a legal claim.
What do we do with the information?
We may use your personal information for a number of purposes relating to the administration of the Scheme, including the following:
- To calculate and pay benefits. This includes providing you with details of your benefits and options under the Scheme and dealing with any queries that you have about these.
- To carry out our obligations arising from any agreement that we have with, or concerning, you and to provide you with the information, benefits and services that you request from us.
- To notify you about services provided to members of the Scheme and any changes to those services or to enable you to access those services.
- For statistical, financial modelling, funding, accounting and reference purposes.
- For internal record keeping.
- For risk management purposes, including the insurance or management of risks or of the Scheme's benefits.
- Complying with our legal obligations, any relevant industry or professional rules and regulations or any applicable voluntary codes.
- Complying with demands or requests made by any relevant regulators, government departments and law enforcement or tax authorities or in connection with any disputes or litigation.
- In connection with any sale, merger, acquisition, disposal, reorganisation or similar change of Smart Pension Limited's business.
In addition, Smart Pension may use your information:
- To ensure that our website is as fast and efficient as possible, and compatible with your software and settings.
- To enable our sub-contractors to provide aspects of our services to you.
- To analyse and improve the services we provide.
- To allow you to use different resources and materials on our website.
- To allow you to access certain details about your benefits via Alexa skill or Google Home (please also see our Terms and Conditions).
- To personalise the way information on our website is presented to you.
- To allow you to share content and materials on our website via social media or other communication means.
- To give you information on products and services which you have asked for or which we think may be of interest to you.
- To track the use of referral links you have shared.
If we have received your express consent to do so and you have agreed to receive marketing from us, we may send you marketing communications. You can stop receiving marketing messages from us at any time.
You can do this by:
- By clicking on the 'unsubscribe' link in any email.
- By contacting us at contact email@example.com.
- Once you do this, we will update your profile to ensure that you do not receive further marketing messages.
- Stopping marketing messages will not stop service communications (such as pension updates).
Smart Pension will rely on its existing commercial relationship with our employer customers, to provide limited communications in respect of similar products or services (known as the 'soft-opt-in' under Data Protection Laws).
Our customers are provided with the opportunity to opt out (unsubscribe) on each and every communication.
How long do we keep your information for?
We will hold your personal information on our systems for as long as is necessary for the Scheme to provide benefits to you or your dependants.
So, for example, if your pension is paid from the Scheme when you retire, we will hold your information for the rest of your life, until your pension ceases on your death. If a pension is payable to any of your dependants after your death, we will then continue to hold your information until their pensions cease. We will then continue to hold your information for an indefinite period after all benefits payable to you and your dependants have ceased, in case there are any further queries about your membership of the Scheme.
If you cease to be a member of the Scheme (e.g. because you transfer your benefits to another pension arrangement), we will hold your information while you are a member and then for an indefinite period after you cease to be a member, in case any further queries arise about your membership of the Scheme.
Who do we share the information with?
Where appropriate for the purposes of administering the Scheme and providing other products and services on the Smart Pension Platform we may share your information with:
- The Scheme's administrator, which is currently Smart Governance Limited, company number 12295061 and with registered office at 40 Eastbourne Terrace Paddington, London, W2 6LG. The administrator uses the information to administer the Scheme, including to calculate and pay benefits.
- The Scheme's professional advisers. These organisations use the information when advising the Trustee and carrying out their professional obligations.
- The Scheme's insurers and annuity providers (and other insurers or brokers for the purpose of obtaining quotations relating to the Scheme or its benefits), investment managers, banks and other service providers.
- Any financial adviser or other organisation appointed by the Trustee or Smart Pension to advise you about your options under the Scheme or any adviser appointed by you where you have asked us to provide them with details of your benefits under the Scheme.
- Any other person who is authorised to act on your behalf.
- Companies within the Smart Pension Group and their professional advisers.
- Regulators, government departments, law enforcement authorities, tax authorities and insurance companies.
- Any relevant ombudsman, dispute resolution body or the courts.
- Persons in connection with any sale, merger, acquisition, disposal, reorganisation or similar change in the Smart Pension business.
- Third parties who provide products and services available through the Smart Pension Platform.
- Third party suppliers who provide tracing services in order to enable better accuracy of our member records.
The entities listed above may also share personal data with their own business suppliers, for example in relation to the operation of IT systems or where they outsource part of their services.
Smart may also share personal data with third party service providers to process your information on our behalf. These third parties will be required to strictly comply with the instructions of Smart.
Some of these entities may also be Controllers under the Data Protection Laws. However, in the first instance you should contact Smart and the Trustee using the contact details below if you have any queries about how they use your personal information.
Please note that some of the Scheme's former service providers may continue to hold information about you for their own record keeping purposes once they have ceased to be involved with the fund.
Where we store your personal data
The data that we collect from you may be transferred outside the UK or the EEA where the Scheme's service providers host data outside the UK or the EEA. This will be governed by the Data Protection Laws.
Further, if you live or work outside of the UK or the EEA, we may need to transfer your personal data outside of the UK or the EEA to respond to any queries that you may have. Where this applies, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.
Your rights in relation to your personal information
The following section explains your rights. The various rights are not absolute and each is subject to certain exceptions or qualifications. Please note that we may be unable to delete or remove your data whilst we still need this to administer the Scheme.
What does this mean?
1. Right to be informed
You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this information notice.
2. Right of access
You have the right to obtain a copy of your information (if we’re processing it), and other certain other information (similar to that provided in this information notice) about how it is used. This is so you’re aware and can check that we are using your information in accordance with data protection law. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
3. Right to rectification
You can ask us to take reasonable measures to correct your information if it’s inaccurate or incomplete. For example, if we have the wrong date of birth or name for you.
4. Right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, for example, where we need to use the information in defence of a legal claim.
5. Right to restrict processing
You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. Right to data portability
You have rights to obtain and reuse certain personal data for your own purposes across different organisations. For example, if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.
7. Right to object
You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override [your] interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims.
We will use strict procedures and security features to safeguard against the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
If you are not happy with the way in which your personal information is held or processed, please contact us using the details below. You also have the right to complain about data protection matters to the ICO.
The ICO is the UK's independent body set up to uphold information rights. You can find out more about the ICO on its website. The ICO can be contacted by calling 0303 123 1113.
Changes to this Policy
We keep this Policy under regular review and may change it at any time. We will tell you about any significant changes. Any changes we may make to this Policy in the future will be posted on this page. Please check frequently to see any update or changes to this Policy. This Policy is current on 14th February 2020.
How to contact us?
Our Data Protection Officer is Michael Mulholland. If you have any queries about this policy, please contact firstname.lastname@example.org.
If you wish to exercise any of the rights above please complete this form.
If you have any other questions about the Scheme, please contact email@example.com.
If you have any security related issues about our website, please contact firstname.lastname@example.org.