Updated November 2021
This Policy applies to all members, former members, employers, advisers, and beneficiaries of the workplace pension scheme (the Scheme) and Smart Retire. It also applies to visitors to our websites and other individuals who contact us or interact with us through our websites.
More about Smart
If you would like further information on our pension products you can visit: https://www.smartpension.co.uk/.
For information specific to members, please visit: https://www.member.smart.co/.
Platform as a Service (PaaS)
If you would like further information about our platform as a service, please visit: https://www.smart.co/.
Data Protection Laws
In this Policy, the ‘Data Protection Laws’ means the General Data Protection Regulation (the GDPR) together with all other applicable legislation relating to privacy or data protection in force from time to time. You should share this Policy with your family and dependants where you have provided us with personal information about them (and where it is reasonable to do so).
Who is the Controller and the Processor?
As defined by the GDPR, a Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
Smart and the Trustee are both Controllers for the purposes of the Data Protection Laws.
This Policy explains how Smart, the Trustee and the Scheme uses and protects the personal information that they hold about you.
ICO Registration number
Smart, registered in the Information Commissioner’s Office (ICO) registration number ZA070575 provides the platform (the Smart Platform), propositions and services for members and employers, and provides Data Protection Officer (DPO) duties on behalf of the Scheme, including the delivery of your rights in relation to your personal information.
The Trustee is responsible for governance in relation to the Scheme. The Trustee’s ICO registration number is ZA135972.
Smart Governance Limited (SGL) provides pensions administration services to EC2 Master Limited as Trustee of the Smart Pension Master Trust. SGL acts as a processor of the Trustee for the purposes of the Data Protection Laws. SGL is a wholly owned subsidiary of Smart. SGL’s ICO registration number is ZA655267.
The Smart Technology Holdings Limited ICO registration number is A8934093. The Smart Platform Limited ICO reference number is A8934143.
Contact details for Smart and the Trustee are set out at the end of this Policy.
What is personal information?
Personal information broadly means information that identifies (or which could, with other information that we hold or are likely to hold, identify) a living individual. This includes any information provided to us by or on behalf of you, the Scheme's employers or third parties including government agencies including HM Revenue & Customs in relation to your membership of the Scheme.
What types of personal information about you might we hold?
We collect and process the information about you that you provide:
- By filling in forms on our website, whether when you register with us, request information, report problems or require additional services.
- By corresponding with us and our service providers (such as by the secure mail in your account area, email, letter, text, phone or otherwise).
- In response to a survey request.
- Through your distribution of any referral or affiliate link.
We also collect and process information about you that is provided to us by the Scheme's employers or by HM Revenue & Customs. We may hold and process any or all the following personal information about you:
- Personal details such as your name, gender, age, date of birth, contact details (e.g., your address and postcode, email address, telephone, and mobile numbers), and identifiers such as your national insurance number, pension or member reference number and employee number (where applicable).
- Details of your family, lifestyle, and social circumstances. This could include details about your current marriage or civil partnership, any previous relationships and details of your family and dependants.
- Employment details such as your earnings, length of service, employment and career history, recruitment and termination details, absence record, job title and job responsibilities.
- Other financial details such as any other income, other pension arrangements, bank account details (e.g., to process pension payments) and your tax code.
- Information about your physical or mental health (where there is a legal basis for the processing of such data under the Data Protection Laws).
- Information about criminal convictions if these relate to money owed to the Scheme's employers in circumstances where they are entitled to be reimbursed from your benefits.
Where does the Trustee and Smart obtain your personal data?
Some of the Trustee’s information comes directly from you. The Trustee may also get information directly from your employer or their representative/adviser.
In addition, Smart, which runs the Scheme on the Trustee’s behalf, may have got information from you, and passed it to the Trustee. Sometimes the Trustee gets information from other sources: for example, another scheme if you have transferred benefits from that scheme; government departments such as HMRC and DWP; and publicly accessible sources (e.g., the electoral roll) if the Trustee has lost touch with you and is trying to find you.
Sometimes the Trustee will obtain your personal data from trustees of other pension schemes who are considering making a ‘bulk transfer’ of assets and liabilities from those other schemes into the Scheme. Before that kind of transfer could happen, the Trustee would need to evaluate, negotiate, and prepare for it.
This would include testing that the personal data coming across is sufficient for the transfer to happen properly in accordance with the rules of the Scheme, checking for inaccuracies in the personal data, and checking whether there are missing parts to the personal data. This testing would be necessary for the legitimate interests of the Trustee in deciding whether to give effect to the transfer.
The Trustee has carefully balanced its legitimate interests against your own rights and freedoms under data protection laws. The categories of personal data shared with the Trustee for this testing are as described in the section “Information the Trustee holds”. If the transfer doesn’t proceed after completion of the testing, the Trustee will securely return or destroy your personal data, unless a copy must be retained to defend legal claims or for other reasons in relation to legal claims.
Personal data in beneficiary nominee forms will come from you as the member. Personal data about members’ dependants, other beneficiary nominees, and death-in-service nominees, will also come from you or your representative. If we ask you for other information in future (for example, about your health), the Trustee will explain whether you have a choice about providing it and any consequences if you don’t do so.
Smart may receive personal data about you when you contact Smart by doing any of the following:
- Registering to use your Online Account or contacting Smart to manage your product or service.
- Applying for a product or service.
- Using its website, or social media.
- Contacting Smart via webchat, phone, email, post or otherwise.
- Taking part in user experience and market research surveys and questionnaires
- Attending worksite presentations, roadshows, or other events.
- Participating in competitions and promotions run by Smart.
Smart works with several third parties from whom we may receive information about you, including:
- Anti-money laundering service providers,
- credit-checking companies,
- analytics providers,
- software providers or payroll providers,
- and regulatory authorities or government departments.
What is the legal basis for the Trustee using your personal data, including if the Trustee shares it?
The Trustee must by law provide benefits in line with the Scheme’s governing documents and must also meet other legal requirements when looking after the Scheme.
The Trustee will use your personal data to comply with these legal obligations, to establish and defend its legal rights, and to prevent and detect crimes such as money laundering and fraud. The Trustee may need to share your personal data with other people for this reason, such as courts, law-enforcement agencies, and providers of anti-money laundering services.
The Trustee also has a legitimate interest in properly looking after the Scheme. This includes paying benefits as they fall due; buying insurance contracts; direct-debit instruction checks; communicating with you; and ensuring that correct levels of contributions are paid, that benefits are correctly calculated, and that the expected standards of Scheme governance are met (including standards set out in The Pensions Regulator guidance).
Additional information Smart may hold about you
Why do we hold this information?
The Trustee holds your personal information because we need it to administer the Scheme. Without your personal information, we cannot provide you and your dependants with the correct benefits, at the right time. For example, we may need this information to verify your membership of the Scheme, to calculate your benefits or to assess whether you are entitled to a specific benefit or how the tax rules apply to you.
We may use unique identifier information, such as your National Insurance number, passport number, pension or member reference number and employee number (where applicable) for the purposes of sending communications to you and verifying your identity.
In some instances, we may need to hold and process information relating to your physical or mental health, for example if you are applying for a pension on grounds of ill-health. We will ask for your explicit consent to this, unless there is an alternative legal basis for processing this information under the Data Protection Laws. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
Smart holds your personal information in connection with its role as provider of the Scheme, for example, it may need this information to process your queries, verify your identity or carry out business processes. Smart may also provide you with information in relation to other products and services available on the Smart Platform which you have asked for or which we think may be of interest to you.
Using your information in accordance with the Data Protection Laws
Data Protection Laws require us to meet certain conditions before we are allowed to use your personal information in the way described in this Policy.
Smart and the Trustee rely on a condition that allows us to use your personal information to comply with our legal obligations in relation to the Scheme.
We will keep the amount of personal information collected and the extent of any processing to a minimum.
We will only process 'sensitive' or 'special categories' of personal information under the Data Protection Laws (e.g., information about your health) where you have explicitly consented to this or where there is an alternative legal basis for processing this information under the Data Protection Laws (e.g., it is required by law). This may mean that you will be asked to sign consent forms in the future. If you don't consent to our processing this information when asked to do so, it may mean that we are unable to pay benefits to you or your dependants. Once you have given your consent, you can withdraw it at any time by writing to us using the contact details below.
We will only process information about criminal convictions if these relate to money owed to the Scheme's employers in circumstances where they are entitled to be reimbursed from your benefits and either you consent to this, or the processing is necessary for the exercise of a legal claim.
What do we do with the information?
We may use your personal information for a number of purposes relating to the administration of the Scheme, including the following:
- To calculate and pay benefits. This includes providing you with details of your benefits and options under the Scheme and dealing with any queries that you have about these. It also includes providing Smart Retire, an online drawdown facility where members can view the values of their investment, submit requests to switch money between investment funds, modify a repeating monthly withdrawal and request occasional lump sum withdrawals.
- To carry out our obligations arising from any agreement that we have with, or concerning, you and to provide you with the information, benefits, and services that you request from us.
- To notify you about services provided to members of the Scheme and any changes to those services or to enable you to access those services.
- For statistical, financial modelling, funding, accounting, and reference purposes.
- For internal record keeping.
- For risk management purposes, including the insurance or management of risks or of the Scheme's benefits.
- Complying with our legal obligations, any relevant industry or professional rules and regulations or any applicable voluntary codes.
- Complying with demands or requests made by any relevant regulators, government departments and law enforcement or tax authorities or in connection with any disputes or litigation.
- In connection with any sale, merger, acquisition, disposal, reorganisation, or similar change of Smart's business.
In addition, Smart may use your information:
- To ensure that our website is as fast and efficient as possible, and compatible with your software and settings.
- To enable our subcontractors to provide aspects of our services to you.
- To analyse and improve the services we provide.
- To allow you to use different resources and materials on our website.
- To allow you to access certain details about your benefits via Alexa skill or Google Home (please also see our Terms and Conditions).
- To personalise the way information on our website is presented to you.
- To allow you to share content and materials on our website via social media or other communication means.
- To give you information on products and services which you have asked for or which we think may be of interest to you.
- To track the use of referral links you have shared.
The Trustee will not use your personal data for marketing purposes.
However, Smart will request your consent for marketing purposes and to collect your preferences by which channels of communication you would like to be contacted by Smart.
If we have received your express consent to do so and you have agreed to receive marketing from us, we may send you marketing communications. You can stop receiving marketing messages from us at any time.
You can do this by:
- By clicking on the 'unsubscribe' link in any email.
- By contacting us at contact [email protected]
- Once you do this, we will update your profile to ensure that you do not receive further marketing messages.
- Stopping marketing messages will not stop service communications (such as pension updates).
Employers and advisers
Smart will rely on its existing commercial relationship with our employer customers, to provide limited communications in respect of similar products or services (known as the 'soft-opt-in' under Data Protection Laws).
Our customers are provided with the opportunity to opt out (unsubscribe) on each communication.
How long do we keep your information for?
We will hold your personal information on our systems for as long as is necessary for the Scheme to provide benefits to you or your dependants.
So, for example, if your pension is paid from the Scheme when you retire, we will hold your information for the rest of your life, until your pension ceases on your death. If a pension is payable to any of your dependants after your death, we will then continue to hold your information until their pensions cease. We will then continue to hold your information for an indefinite period after all benefits payable to you and your dependants have ceased in case there are any further queries about your membership of the Scheme.
If you cease to be a member of the Scheme (e.g., because you transfer your benefits to another pension arrangement), we will hold your information while you are a member and then for an indefinite period after you cease to be a member, in case any further queries arise about your membership of the Scheme.
Who do we share the information with?
Where appropriate for the purposes of administering the Scheme and providing other products and services on the Smart Platform we may share your information with:
- The Scheme's administrator, which is Smart Governance Limited, company number 12295061 and with registered office at The Smart Building, 136 George Street, London, W1H 5LD. The administrator uses the information to administer the Scheme, including to calculate and pay benefits. The Administrator uses a sub-contractor to perform agreed administrative functions.
- The Scheme's professional advisers. These organisations use the information when advising the Trustee and carrying out their professional obligations.
- The Scheme's insurers and annuity providers (and other insurers or brokers for the purpose of obtaining quotations relating to the Scheme or its benefits), investment managers, banks, and other service providers.
- Any financial adviser or other organisation appointed by the Trustee or Smart to advise you about your options under the Scheme or any adviser appointed by you where you have asked us to provide them with details of your benefits under the Scheme.
- Any other person who is authorised to act on your behalf.
- Companies within the Smart Group and their professional advisers.
- Regulators, government departments, law enforcement authorities, tax authorities and insurance companies.
- Any relevant ombudsman, dispute resolution body or the courts.
- Persons in connection with any sale, merger, acquisition, disposal, reorganisation, or similar change in the Smart business.
- Third parties providing services for the online Smart Retire drawdown facility. This will include payroll processing and identify verification checks.
- Third parties who provide products and services available through the Smart Platform.
- Pension industry bodies, to enable research-related initiatives to provide pension data analysis, including developing better evidence of people’s savings habits, with the purposes of optimising individuals’ decision-making and improving the outcomes for members and industry stakeholders.
The entities listed above may also share personal data with their own business suppliers, for example in relation to the operation of IT systems or where they outsource part of their services.
Smart may also share personal data with third party service providers to process your information on our behalf. These third parties will be required to strictly comply with the instructions of Smart.
Some of these entities may also be controllers under the Data Protection Laws. However, in the first instance you should contact Smart and the Trustee using the contact details below if you have any queries about how they use your personal information.
Please note that some of the Scheme's former service providers may continue to hold information about you for their own record keeping purposes once they have ceased to be involved with the Scheme.
Where we store your personal data
The data that we collect from you may be transferred outside the UK or the EEA where the Scheme's service providers host data outside the UK or the EEA. This will be governed by the Data Protection Laws.
Further, if you live or work outside of the UK or the EEA, we may need to transfer your personal data outside of the UK or the EEA to respond to any queries that you may have. Where this applies, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.
Schrems II Privacy Shield statement
The Schrems II decision of the European Court of Justice (ECJ) in July 2020, found that the Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. However, Standard Contractual Clauses (SCCs) are still valid.
In accordance with ICO guidance, Smart has undertaken a review of our contractual arrangements to ensure that SCCs are in place where personal data may be processed in the United States. If we become aware that a supplier relies solely on the Privacy Shield, then we will work with them to ensure that SCCs are in place, or there is an alternative legal basis for the transfer.
In the meantime, Smart will continue to monitor its international transfers and react promptly as regulatory guidance and advice is updated.
Your rights in relation to your personal information
The following section explains your rights. The various rights are not absolute, and each is subject to certain exceptions or qualifications. Please note that we may be unable to delete or remove your data whilst we still need this to administer the Scheme.
1. Right to be informed
2. Right of access
You have the right to obtain a copy of your information (if we’re processing it), and certain other information (similar to that provided in this information notice) about how it is used. This is so you’re aware and can check that we are using your information in accordance with data protection law. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
3. Right to rectification
You can ask us to take reasonable measures to correct your information if it’s inaccurate or incomplete. E.g., if we have the wrong date of birth or name for you.
4. Right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g., where we need to use the information, in defence of a legal claim.
5. Right to restrict processing
You have rights to ‘block’ or suppress further use of your information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. Right to data portability
You have rights to obtain and reuse certain personal data for your own purposes across different organisations. E.g., if you decide to move services, this enables you to move, copy or transfer your information easily between different service providers (or directly to yourself) safely and securely, without affecting its usability. This only applies to your information that you have provided that is being processed with your consent (if relevant) or to perform a contract that you are a party to, which is being processed by automated means. We do not expect this right to be relevant in the context of the services that we provide.
7. Right to object
You have the right to object to certain types of processing, on grounds relating to your situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party such as the Trustee. We will be allowed to continue to process the information if we can demonstrate “compelling legitimate grounds for the processing which override [your] interests, rights and freedoms” or we need this for the establishment, exercise, or defence of legal claims.
We will use strict procedures and security features to safeguard against the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
All our employees and any third parties we engage to process data are obliged to respect the confidentiality of such data provided to us and as required under applicable data protection or other legislation.
Smart became ISO/IEC 27001 certified on 12 October 2021. The scope of this Information Security Management System (ISMS) is information security arrangements associated with the provision of pension and retirement technology services by Smart.
If you are not happy with the way in which your personal information is held or processed, please contact us using the details below. You also have the right to complain about data protection matters to the ICO.
Changes to this Policy
We keep this Policy under regular review and may change it at any time. We will tell you about any significant changes. Any changes we may make to this Policy in the future will be posted on this page. Please check frequently to see any update or changes to this Policy. This Policy is current as of 30 November 2021.
How to contact us?
If you have any other questions about the Scheme, please visit https://www.smartpension.co.uk/contact-us to find out the best way of contacting us for your question.
If you have any security related issues about our website, please contact [email protected].