This web page expands on the privacy information that has previously been made available to you (see a copy of this information).
We may update this notice from time to time. We will keep you updated on material changes to this notice. We also encourage you to check this notice on a regular basis. This version was last updated in September 2021.
The purpose of this notice is to explain how the National Employment Savings Trust Corporation (Nest) as Trustee of the Nest pension scheme (the Scheme) collects and uses your personal information and how we comply with data protection law. Nest looks after all aspects of the Scheme, in line with the Nest Order and Rules and the law. Where Nest determines the reasons for which we use your personal information and the means of processing your personal information, it is the controller.
In this notice, we explain some things about the personal information Nest holds, and your rights regarding this information. It’s important that you read it carefully, together with any other privacy notices and information that we provide you, from time to time.
We collect and receive different types of personal information about you, in order to administer the Nest account of the member or employer you are linked to. Personal information we hold about you includes any information that identifies you (e.g name, address, phone number etc.). It may also include, on rare occasions, personal information which relates to specific topics which are thought to be more privacy sensitive (e.g information about your health, your ethnicity, religion etc.).
When we use sensitive personal information such as health records, we may ask for your consent. However, from time to time there may be cases where due to legal reasons or public interest, Nest can use this personal information without your consent. Nest may also use your personal information, in order to establish, exercise and defend its legal rights.
You can find more details about the type of information we hold about you, in “What personal information we use and how long we keep it” below.
We have received information about you, either from one of our members or one of our employers, in relation to an event affecting them. This is further explained in the communication you received with this notice or that you may have received separately. In some instances, you may have provided us this information directly.
Please note: Your personal information is necessary for us to administer the Scheme, the members’ or employers’ Nest account that you are linked to and to action their or your requests. Without it we may not be able to do so.
As a trustee, Nest has a legal obligation to provide pensions and other benefits in relation to its members and must comply with the legal obligations applicable to it (such as trust law, pensions law and our Order and Rules). In order to meet these requirements, we need to process your personal information.
In addition, Nest is also a public corporation, whose function is to be the trustee of the Scheme. In carrying out this function, we will need to process your data, in order to run the Scheme in line with our powers.
To meet these obligations, we’ll use your personal information to:
When Nest needs to use information about your health or other sensitive personal information, we may ask for your consent. However, from time to time, there may be cases where due to legal reasons or public interest, Nest can use this personal information without your consent.
Nest may also use your personal information, in order to establish, exercise and defend its legal rights.
We’ll use your personal details to provide you with other information you’ve consented to receive. You can easily withdraw your consent at any time. We explain how you can do so, each time we ask for your consent.
If you use our website, you’ll see a message asking you to consent to the use of non-essential cookies, at your first visit. If you consent to the use of cookies, we’ll also use your personal information to monitor the traffic and performance of our website.
If you want more information about cookies we use or if you’d like to change your cookie settings, please go to our cookies policy page.
Pensions are for the long term, so we will retain your personal information for a long time. You can find more details below.
Including: surname, forenames, telephone number, address (correspondence and billing), email address, phone recordings and transcripts of your interaction with us, emails.
We’ll keep this information for 15 years after the earliest of:
(a) the date we pay out the member’s retirement pot in full;
(b) the date we transfer the member’s retirement pot out of Nest or
(c) the date of death of the member or 150 years from the date of their birth in circumstances where we’ve not been notified of their death.
Including: surname, forenames, address, relationship to member, phone recordings and transcripts of your interaction with us, emails, benefit percentage, copies of identification documents (including birth, marriage/civil partnership, death certificates).
We’ll keep this information for 15 years after the date of death of the member where death benefits are paid to you or 150 years from the member’s date of birth in circumstances where we’ve not been notified of their death and death benefits are not paid to any beneficiary;
Where the member takes their retirement pot in full, we’ll keep this information for 15 years after the earliest of:
(a) the date we pay out the member’s retirement pot in full;
(b) the date we transfer the member’s retirement pot out of Nest or
(c) the date of submission of a new expression of wish/death benefit nomination form, where the member completes a new form and replaces the beneficiary.
This category covers a variety of individuals. This could include:
professionals,
who interact with the Scheme in respect of a specific member event such as ill-health application, death benefit or divorce cases
who interact with the Scheme in relation to a specific employer event.
Including:
This will follow the same principles as the member retention period relating to the activity where the data is gathered. To know more about this please see the Fair Processing Notice for members.
Data will be kept with the relevant member record. We won’t keep a separate record of your data.
Any other personal information we collect and use that is not described in any of the categories above.
This will follow the same principles as the member retention period relating to the activity where the data is gathered. To know more about this please click here:
www.nestpensions.org.uk/personal-information-member
Data will be kept with the relevant member record. We won’t keep a separate record of your data.
In addition, we may keep your personal information for a longer period of time than mentioned above for archiving or research purposes, or in the event of ongoing disputes, claims, complaints or data migration. In such cases, we’ll consider the nature, degree of sensitivity, and volume of your personal information that needs to be kept. We’ll also take into consideration the purpose for extending the retention period and whether this purpose could be achieved through other means.
From time to time, we may need to pass your personal information on to trusted third parties. The third parties we may share information with are:
We need to pass your personal information as requested and required, to The Pensions Regulator, the Pensions Ombudsman, the Department for Work and Pensions and Her Majesty’s Revenue and Customs, in accordance with our legal, regulatory and statutory obligations, for compliance purposes.
In order to comply with our legal, regulatory and statutory obligations, sometimes we also need to pass your personal information to third parties, such as courts, law enforcement agencies, our insurers, our auditors, and our professional advisers.
As part of the legal requirements when looking after the Scheme, Nest has to be able to develop a Scheme that aims at meeting, on an on-going basis, the needs of its members, participating employers, and intermediaries. In order to do so, Nest needs to conduct research and surveys. Some of those activities may require us to use your personal information.
When conducting such activities, we may need, from time to time, to share your personal information with other government bodies or departments, as well as with third party research partners (such as universities, think tanks, etc.). Wherever appropriate, we’ll use aggregated datasets, or anonymisation or pseudonymisation techniques to limit personal information use to what is strictly necessary for the purpose of each project.
We also use market research agencies and survey providers to help us carry out these activities. We seek to ensure that we have the necessary safeguards and security measures in place, when we do so.
When we outsource any processes, we ensure any supplier or contractor we use has adequate security measures. We also require them to comply with data protection principles as part of our contract with them.
When we share data with third parties, they may be a processor acting on our instructions or a controller in their own right.
Most of our scheme administration is carried out by our outsourced supplier, Tata Consultancy Services (TCS). As part of their services, some of your personal information may be processed from India. Where this occurs, Nest relies on model contract clauses (if you want more information, please see the section below ‘Transfers outside the UK’).
In the course of providing scheme administration services, TCS uses other processors, such as:
Where this occurs, Nest requires sufficient guarantees from TCS that appropriate technical and organisational measures are in place with all processors and that their standard of security with regard to the processing of your personal information is satisfactory to Nest.
When you transfer to another pension scheme, we’ll need to share some of your personal information with that pension provider/pension advisor.
In certain circumstances, we may need to disclose your personal information to other trusted third parties, who will receive it as controllers in their own right (such as auditors, consultants, legal advisers, identity and bank checking service providers). In such cases, we will ensure that the appropriate contracts and safeguards are in place.
Nest uses website analytics providers in order to provide valuable information and insight into the performance and use of our website. If you use our website, we’ll also share information about your use of our site with those web analytics providers. You’ll find more information in our cookies policy.
From that page, you will also be able to manage your preferences and be able to opt in or out from cookies that are not essential to the operation of the website.
We may also share your personal information with any other third party where you have given your consent.
The security of your personal information is very important to us and we take this matter very seriously. We’ll use appropriate procedures and security features to process and protect your information. We have in place a robust framework to ensure the security of your data.
The information security management systems operated by Nest Corporation, our scheme administrator and our IT managed services provider are all independently certified to the ISO 27001 standard. This gives us assurance that our systems and processes are robust, and helps protect members’ data.
Some of the organisations that we share your personal information with may process it overseas. If any sharing means that your personal information will be transferred outside the UK, we will only make that transfer if:
Please find below more detailed information in relation to our scheme administration, our research activities and our procurement activities.
Some of the services TCS are providing are carried out from India. In order to make sure that your data is secure when transferred to India, Nest uses the Model Contract Clauses which includes the UK's international data transfer agreement (ITDA) or the EU's standard contractual clauses (EU SCCs) supplemented by the ITDA addendum.
The administration of the Scheme and the Nest accounts linked to you can be done using modern technology such as smartphones and tablets. In such cases, your personal information can be accessible from those devices. Where this occurs, Nest may access and review your personal information while transiting via countries outside the UK. Nest will carry out a risk assessment and seek to implement that in these cases, strong security controls protect your data both in transit to, and on Nest devices.
As mentioned above, Nest conducts research into the way our customers interact and save with us, using third party processors such as market research agencies, survey providers and third party research partners.
When those third parties are not based in the UK, Nest carries out a risk assessment to determine whether appropriate safeguards are in place (taking into account the level of security, the volume of data, sensitivity of data) and seeks to ensure that the necessary safeguards are written into a contract.
When procuring new suppliers that may be processing personal information, Nest conducts a risk assessment into where and how personal information will be processed and to determine what safeguards are appropriate, such as, for instance, entering into Model Contract Clauses (and/or any replacements applicable in the UK) or relying on adequacy decisions.
You can correct the information we hold about you by logging into your online Nest account if you have one, then selecting “edit your profile”. You need to help us keep your personal information accurate.
Alternatively, you can also contact us at Nest, Nene Hall, Lynch Wood Business Park, Peterborough, PE2 6FY.
Subject to certain conditions, you have the right to request access to the personal information that we hold about you. This is commonly called a “data subject access request”.
If possible, you should specify the type of information you would like to see to ensure that our disclosure meets your expectations. We must be able to verify your identity. Your request shall not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.
In addition to your rights to request access to or rectification of the personal information we hold about you, you’ll have the right, under certain circumstances, to make a request to:
Some rights may not be applicable to all forms of processing and/or all types of personal information.
Note1: It is important to note that your request to restrict or object to processing or erase your personal information doesn’t automatically lead to a requirement for the processing to stop, or for your personal information to be deleted. For instance, we may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Note2: In addition, the right to data portability only applies in certain circumstances such as where the processing relies on consent. When Nest processes your personal information for the purposes of scheme administration (as explained above), in most instances, it does so in order to comply with its legal obligations. In this case, the right to data portability will not apply.
Note3: If you do decide to withdraw your consent we will stop processing your personal information for that purpose going forward, unless there is another lawful basis we rely on – in which case, we will let you know.
To make a request under these rights you can:
The information provided in this privacy notice is in addition to any other privacy information we may give you on this website or via other channels (paper communication, secure message, webchat, telephone etc). We may update this notice from time to time. We will keep you updated on material changes to this notice. We also encourage you to check this notice on a regular basis. If you want more information about the use of cookies on the Nest website, please view our cookies policy.
If you want to contact us, you can
If you have concerns about the way we handle your personal information and you think we haven’t dealt with them properly, you can contact the Information Commissioner’s Office or raise a complaint