Skip to Main Content
close Close

Your privacy rights when
you’ve been given
access to a Nest
account

This web page expands on the privacy information that has previously been made available to you (see a copy of this information).

We may update this notice from time to time. We will keep you updated on material changes to this notice. We also encourage you to check this notice on a regular basis. This version was last updated in September 2021.

The purpose of this notice is to explain how the National Employment Savings Trust Corporation (Nest) as Trustee of the Nest pension scheme (the Scheme) collects and uses your personal information and how we comply with data protection law. Nest looks after all aspects of the Scheme, in line with the Nest Order and Rules and the law. Where Nest determines the reasons for which we use your personal information and the means of processing your personal information, it is the controller.

In this notice, we explain some things about the personal information Nest holds, and your rights regarding this information. It’s important that you read it carefully, together with any other privacy notices and information that we provide you, from time to time.

About your personal information and where we obtain it

We collect and receive different types of personal information about you, in order to administer the Nest Connector’s or employer’s Nest account where you were added as a delegate. Personal information we hold about you includes any information that identifies you (e.g name, address, phone number etc.). It may also include, on rare occasions, personal information which relates to specific topics which are thought to be more privacy sensitive (e.g information about health, ethnicity, religion etc.).

When we use sensitive personal information such as health records, we may ask for your consent. However, from time to time, there may be cases where due to legal reasons or public interest, Nest can use this personal information without your consent.

Nest may also use your personal information in order to establish, exercise and defend its legal rights.  

You can find more details about the type of information we hold about you in “What personal information we use and how long we keep it” below.

We received personal information about you when you were added as a delegate to a Nest Connector’s or employer’s Nest account. That Nest Connector or employer provided your details to us and you can find out more in the email we sent you entitled “Please sign up for delegated access to Nest”. 

You may be appointed delegate by more than one Nest Connector or employer, in such case you’ll receive separate notices for each Nest Connector or employer that adds you as delegate to their individual Nest account.

You need to help us keep the personal information we hold about you accurate. If you notice that any of your personal information is incorrect or if any personal information about you changes, please see below on how you can correct your personal information.

Please note: The personal information you provide to us, as well as that we collect about you, is necessary for us to administer the Scheme, the Nest Connector’s or employer’s Nest account where you were added as a delegate and action your requests. Without it we may not be able to do so.

How we'll use your personal information

As a trustee, Nest has a legal obligation to provide pensions and other benefits in relation to its members and must comply with the legal obligations applicable to it (such as trust law, pensions law and our Order and Rules). In order to meet these requirements, we need to process your personal information. 

In addition, Nest is also a public corporation, whose function is to be the trustee of the Scheme. In carrying out this function, we will need to process your data in order to run the Scheme in line with our powers.

To meet these obligations, we need to use your personal information in relation to the administration of the Nest accounts of the employer or Nest Connector that added you as delegate.  
For instance, we can use this to:

  • administer the Nest Connector’s or employer’s Nest account where you were added as a  delegate
  • communicate and interact with you (and the Nest Connector or the employer) that added  you as a delegate, in relation to their Nest accounts. This can be by phone, webchat, email,  post, secure mail, app
  • provide services and information you request from us in relation their Nest accounts
  • inform you about changes to our services
  • improve our service offering, including through surveys and research activities
  • ensure we run a scheme that is compliant with regulation and legislation
  • see if and when you have opened secure messages we send you, in your Nest account
  • prevent and detect crimes such as fraudulent activities

When Nest needs to use information about your health or other sensitive personal information, we may ask for your consent. However, from time to time, there may be cases where due to legal reasons or public interest, Nest can use this personal information without your consent.

Nest may also use your personal information in order to establish, exercise, and defend its legal rights.

We’ll use your personal information to provide you with other information you’ve consented to receive. You can easily withdraw your consent at any time. We explain how you can do so, each time we ask for your consent.

For example: when logging into your Nest account for the first time, you will be asked whether you are happy to receive news and other information about Nest that may interest you. If you have consented to receive such information, you can withdraw your consent at any time by logging into your Nest account, going to “edit my profile” and changing your marketing preference.

We may also use your personal information to see if and when you open emails or links we send you, where you have consented to receive them.

If you use our website, you’ll see a message asking you to consent to the use of non-essential cookies, at your first visit. If you consent to the use of cookies, we’ll also use your personal information to monitor the traffic and performance of our website.

If you want more information about cookies we use or if you’d like to change your cookie settings, please go to our cookies policy page.

What personal information we use and how long we keep it

Pensions are for the long term, so we will retain your personal information for a long time. You can find more details below.

Including:

  • surname, forenames,
  • relationship to organisation,
  • phone recordings and transcripts,
  • details of the level of access applicable to the Nest Connector or the employer account who  added you as a delegate,
  • physical address (correspondence and billing), email address,
  • emails, secure messages, correspondence,
  • telephone number (for professional representatives, this will be work address/email),
  • address history,
  • employer’s name,
  • the date of appointment and end date of your appointment as a delegate for each relevant  Nest Connector’s or employer’s account.

Where you provide this information to us:

  • and setting up the employer’s Nest scheme isn’t completed, we’ll keep it for 15 years  following the date this information was provided
  • and setting up the employer’s Nest scheme is completed but no one has enrolled any  members, we’ll keep it for 15 years following the date the employer stops using Nest.

In all other circumstances, we’ll keep this information for 15 years after the earliest of:

(a)  the date we pay out your last relevant member’s retirement pot in full;
(b)  the date we transfer your last relevant member’s retirement pot out of Nest or
(c)  the date of death of your last relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

Except for records of change of address, which we’ll keep for 15 years after you notify us.

A relevant member is a member where you’re provided or viewed their details

Financial information and bank details

Including: Bank’s name, bank account number and sort code and any changes to those details.

We’ll keep this information for 15 years after the earliest of:

(a)  the date we pay out your last relevant member’s retirement pot in full; 
(b)  the date we transfer your last relevant member’s retirement pot out of Nest or 
(c)  the date of death of your last relevant member where contributions were received from the Nest Connector or employer’s bank account or where contributions were refunded to that account
(d)  the date of your last relevant member’s 150th anniversary of birth in circumstances where we’ve not been notified of their death and where contributions were received from the Nest Connector or employer’s bank account or where contributions were refunded to that account.

Appointment as a delegate

Includes date(s) of your appointment as a delegate and the date(s) your appointment ended.

We’ll keep this information for 15 years after the earliest of:
(a)  the date we pay out your last relevant member’s retirement pot in full;
(b)  the date we transfer your last relevant member’s retirement pot out of Nest
(c)  the date of your last relevant member or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

Any other data not described above:

Any other data we collect, not specifically mentioned above will be brought to your attention with a specific message at the point of collection from you.

We’ll keep this information for 15 years after the earliest of your last relevant member’s:

(a)  date of payment of retirement pot in full, 
(b)  date of transferring their retirement pot out of Nest, or 
(c)  date of death or 150 years from their date of birth in circumstances where we’ve not been notified of their death.

In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims, complaints or data migration. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.

Passing on your personal information to third parties

From time to time, we may need to pass your personal information on to trusted third parties. The third parties we may share information with are:

We need to pass your personal information as requested and required, to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal, regulatory and statutory obligations, for compliance purposes.

In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third parties such as courts, law enforcement agencies, our insurers, our auditors and our professional advisers.

As part of the legal requirements when looking after the Scheme, Nest has to be able to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, Nest needs to conduct research and surveys. Some of those activities may require us to use your personal information.

When conducting such activities, we may need, from time to time, to share your personal information with other government bodies or departments, as well as with third party research partners (such as universities, think tanks, etc.). Wherever appropriate, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.

We also use market research agencies and survey providers to help us carry out these activities. We seek to ensure that we have the necessary safeguards and security measures in place, when we do so.

When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures in place. We also require them to comply with data protection principles as part of our contract with them. When we share data with third parties, they may be a processor acting on instructions from us or a controller in their own right.

Most of our scheme administration is carried out by our outsourced supplier, Tata Consultancy Services (TCS). As part of their services, some of your personal information may be processed from India. Where this occurs, Nest relies on model contract clauses (if you want more information, please see the section below ‘Transfers outside the UK’).

In the course of providing scheme administration services, TCS uses other processors, such as:

  • data centre hosting providers, based in the UK and the EEA
  • letter printing and postal service providers
  • software providers, such as email campaign providers
  • identity checking service providers

Where this occurs, Nest requires sufficient guarantees from TCS that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to Nest.

In certain circumstances, we may need to disclose your personal information to other trusted third parties, who will receive it as controllers in their own right (such as auditors, consultants, legal advisers, identity and bank checking service providers). In such cases, we will ensure that the appropriate contracts and safeguards are in place.

Nest uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. We also share information about your use of our site with those web analytics providers. You’ll find more information in our cookies policy.

From that page, you'll also be able to manage your preferences and be able to opt in or out from cookies that are not essential to the operation of the website.

We may also share your personal information with any other third party where you have given your consent.

Security and safe storage of your personal information

The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. 

The information security management systems operated by Nest Corporation, our scheme administrator and our IT managed services provider are all independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ data.

Transfers outside the United Kingdom (UK)

Some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the UK, we will only make that transfer if:

  • the country to which the personal information is to be transferred ensures an adequate level of protection for personal information
  • we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract (like the contract terms sometimes called Model Contract Clauses which includes the UK's international data transfer agreement (ITDA) or the EU's standard contractual clauses (EU SCCs) supplemented by the ITDA addendum
  • the transfer is necessary for one of the reasons specified in data protection law
  • sometimes, we will request your consent to the transfer 

Please find below more detailed information in relation to our scheme administration, our research activities and our procurement activities.

Some of the services TCS are providing are carried out from India. In order to make sure that your data is secure when transferred to India, Nest uses the Model Contract Clauses which includes the UK's international data transfer agreement (ITDA) or the EU's standard contractual clauses (EU SCCs) supplemented by the ITDA addendum.

The administration of the Scheme and the Nest account(s) for which you have been added as a delegate can be done using modern technology such as smartphones and tablets. In such cases, your personal information can be accessible from those devices. Where this occurs, Nest may access and review your personal information while transiting via countries outside the UK. Nest will carry out a risk assessment and seek to implement strong security controls to protect your data both in transit to, and on Nest devices.

As mentioned above, Nest conducts research into the way our customers interact and save with us, using third party processors such as market research agencies, survey providers and third party research partners.

When those third parties are not based in the UK, Nest carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, volume of data and sensitivity of data) and seeks to ensure that the necessary safeguards are written into a contract.

When procuring new suppliers that may be processing personal information, Nest conducts a risk assessment into where and how personal information will be processed and to determine what safeguards are appropriate, such as, for instance, entering into Model Contract Clauses (and/or any replacements applicable in the UK) or relying on adequacy decisions.

How you can access and correct your personal information

In order to administer the Scheme, and the Nest account of the employer or Nest Connector who added you as a delegate, it is important that we have accurate and complete information about you. We encourage you to notify us of any changes regarding your personal information, as mentioned just below.

You can correct the information we hold about you by logging into your Nest online account, then selecting “edit your profile”.

You can also contact us at Nest, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY.

Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a “data subject access request”. 

If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.

In addition to your right to access or rectification of your personal data that we hold about you, you also have the right to make a request (under certain circumstances) to:

  • restrict or object to the processing of the personal information we hold about you (see Note1)
  • erase your personal information (see Note1) 
  • receive personal information about you that you have provided to us in a structured, commonly used, machine-readable format where we use it with your consent (‘right to data portability'’) (see Note2)
  • withdraw your consent for us to process your personal information, where based on consent (see Note3)

Note1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Note2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest processes your personal information for the purposes of scheme administration (as explained above), in most instances, it does so in order to comply with its legal obligations. In this case, the right to data portability will not apply. 

Note3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.

To make a request under these rights you can:

Queries and further information

The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, webchat, telephone etc.). 

If you want more information about the use of cookies on the Nest website, please view our cookies policy.

If you want to contact us, you can

If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint

  • by phone on +44 303 123 1113
  • by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • via their website at www.ico.org.uk/concerns