Privacy

How we use information about you

We, the Railways Pension Trustee Company Limited and RPMI Limited (each with its registered address at 7th Floor, Exchange House, 12 Exchange Square, London, EC2A 2NY), are a “data controller” in respect of your personal information for the purposes of applicable data protection legislation. If there is a Pensions Committee for your Section, it will also comply with the data protection legislation.

This privacy notice is intended to give you a clear picture of how we handle your personal data. It describes what personal data we collect about you the basis upon which we process it, with whom it is shared, how it is stored and certain other important information relating to the protection of your personal data. 

Why we use your data

We will use your personal details in order to deal with and pay any benefits you may be entitled to under the rules of the Railways Pension Scheme, the BT Police Superannuation Fund, the British Railways Superannuation Fund, or any other pension fund administered by RPMI.

The Trustee will also use your personal data for the purposes of complying with any legislation and procedures, which apply to them and to establish, exercise or defend their legal rights.

The Scheme actuary, the Scheme auditor and the appropriate legal advisors may be given access to personal data for the purpose of advising the Trustee and RPMI on the management of the Scheme.

We may occasionally use your personal data for the purposes of statistical analysis or to respond to government surveys (for example, compulsory questionnaires sent to us by the Pensions Regulator or the Office of National Statistics) but this is usually completed on an anonymous basis.

If we wish to use your personal data for any other purpose, we will update this privacy notice. 

We may collect and use the following types of personal data about you and, in some circumstances, your spouse, civil partner, partner or dependents:

  • Contact details such as name(s) home address, telephone number and personal e-mail address;
  • national insurance number;
  • gender and date of birth;
  • marital status, next of kin and family/dependents;
  • dates on which you joined and left pensionable service;
  • Financial details such as your salary information;
  • information relating to any pension sharing or earmarking order (if your marriage or civil partnership ends);
  • information about pension benefits you have accrued, investment choices and death benefit nomination forms;
  • tax information and any protections that you may have in relation to your pension benefits;
  • your bank account details.

 

This information may be obtained from your current or former employer, government agencies, any financial or other adviser or representative acting on your behalf, service providers that allow us to verify the accuracy of your personal details (for example, to trace your current address or to verify your continuing existence); and from yourself.

In certain circumstances, we may ask you for information relating to your health; for example, if you are apply for ill health benefits.  In some circumstances, additional medical information may be required from your doctor or appropriate medical advisor. We will explain to you at the time why we need that information and how we intend to use it.  When we need to, we will ask for your consent to use your health information.

You do not have to provide the information requested from you, but there may be a delay in the payment of your benefits if that information is not provided.

You may also need to provide us with personal data relating to other people (for example, your spouse, civil partner or dependents) for example when completing a nomination form.  When you do so, you will need to check with them that they are happy for you to share their personal data with us and for us to use it in accordance with this privacy notice.

If you are acting on behalf of a child, we may also hold and use your personal information, which will be dealt with on the same basis as set out earlier.

What is our lawful basis for using your personal data?

Under data protection legislation, we need to have what is called a lawful basis each time we use, share or otherwise process your personal data.  The legal basis we will process your personal data could include the following:

  • there is a legal obligation for us to do so;
  • it is for our legitimate business interests; or
  • you have given us your consent to do so.

 

Our legitimate business interests include fulfilling our role in dealing with, assessing eligibility for and paying any benefits you may be entitled to. We will not use your data for our legitimate business interests if your interests, rights or freedoms override them.

Our "legitimate interests", can also mean our (or a third party's) interests in operating the Scheme or Fund as efficiently and securely as possible.  For example, we may choose to use a third party to store your personal data; we may do this in part because our use of that service means that your personal data is more secure. 

In certain circumstances, we will need your consent to collect and use your personal data; this is most likely where we are collecting information relating to your health (for example, in applying for ill health benefits). 

If we are processing your data on the basis of your consent, you can withdraw your consent at any time by contacting RPMI’s Data Protection Officer (details shown on the back page). The withdrawal of consent will not affect the processing of personal data carried out before consent was withdrawn.

Whom the information may be shared with

From time to time, we may need to share your information with other parties. Where this is necessary, we are required to comply with all relevant data protection legislation. The types of third parties we may need to share some of your information with include:

  • your current or former employer - for the purposes of operating the Scheme;
  • pension schemes with which the person whose personal information we are processing has an association
  • the Scheme or Fund actuary – this is an actuary that is personally appointed to provide advice on the funding of the Scheme or Fund.The actuary will be supported by an actuarial team who will also have access to your personal data;
  • the Scheme or Fund auditor – they prepare the Scheme's or Fund’s annual accounts and audit them for us;
  • the Scheme or Fund legal advisor – they advise us on all legal issues affecting the Scheme or Fund;
  • government agencies (for example, HM Revenue and Customs);
  • ·ombudsmen and regulatory authorities;
  • companies that provide services to us, such as printers, information technology systems suppliers and support, including providers email archiving, back-up and disaster recovery and cyber security services.
  • your data may be shared with third parties in order to verify your identity as well as to prevent and detect fraud. This would involve a ‘soft’ credit check from a credit referencing agency. They are visible on your credit report but don't show up in the same way as a 'hard' check and do not affect your credit rating.

 

Your personal data will also be disclosed to third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or any lawful request from any legal or regulatory authority; or
  • to respond to any claims, and to establish, exercise or defend our legal rights.

 

Details of all of the main advisers to the Scheme are available in the Scheme's annual report and accounts, which are available on request by writing to us.

Most third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data for the specific purposes identified by us.

Certain third parties (most notably, the Scheme actuary and other professional advisers) are themselves subject to certain legal or regulatory obligations (including professional codes of practice).  They will be responsible for their own processing of personal data to the extent that processing is subject to, or relates to, those obligations. 

Willis Towers Watson provide actuarial services for the Railways Pension Scheme and the British Railways Superannuation Fund, Their Privacy Notice is available at www.willistowerswatson.com/personal-data

XPS Pensions Group provide actuarial services for the BT Police Superannuation Fund. Their Privacy Notice is available at https://www.xpsgroup.com/legal-regulatory/privacy-policy

We will always ensure that any third parties with whom we share your personal data are subject to privacy and security obligations consistent with this privacy notice and applicable laws.

How long do we retain your personal data?

Our standard policy is for information or data to be kept for only as long as necessary for the purposes set out above. It is then disposed of in a managed and secure way. However, as pensions are a long-term saving vehicle, it may be necessary to retain your personal data for the remainder of your life and any dependents’ lives in order to determine your entitlement to and pay the benefits you may be entitled to, along with any dependent's benefits payable.

Transferring data overseas

Our core systems, data, and administration services are all carried out and stored within the UK.

However, TCS an international multinational information technology service, based in India, provides maintenance support. Therefore, on rare occasions it may be necessary to transfer your data overseas to TCS.

Transferring personal data to a country outside the European Economic Area that does not have adequate data protection is prohibited unless the country has been approved by the European Commission as providing an adequate level of data protection or adequate safeguards have been put in place to ensure the security of the data.

As India is currently not on the European Commission’s list of countries providing adequate data protection RPMI and TCS have entered into a data protection contract using standard clauses adopted by the EU Commission (so-called ‘model clauses’). These contain enforceable data subject rights and effective legal remedies for data subjects against TCS. Further details on the steps we take to protect your personal data in these cases are available on request by writing to us at the address on the back page.

Your rights

You will have a number of rights under the GDPR. These include the right to:

  • receive a copy of the personal data we hold about you;
  • request personal data to be amended if it is inaccurate or incomplete;
  • request the deletion or removal of personal data where there is no compelling reason for its continued use;
  • block or restrict the processing of your personal data; and
  • ·object to the processing of your personal data.

 

There is also a right under the GDPR to receive your personal data (in a structured, commonly used and machine-readable format) and to transfer your data to another service provider or data controller. This right applies where your data is being processed on the basis of your consent or in line with a contract to which you are party. Please note that, for the majority of members, this is not applicable as we rely on our legitimate business interest to collect and process your data rather than individual consent or contracts.

In order to exercise any of the above rights please write to the DPO at the below address.

How do we keep your personal data secure?

We are committed to protecting your personal data from loss, misuse, disclosure, alteration, unauthorised access and destruction. We take all reasonable precautions to safeguard the confidentiality of personal data.

Although we make every effort to protect the personal data, which you provide to us, the transmission of information over the internet is not completely secure. As such, you acknowledge that we cannot guarantee the security of personal data transmitted to us over the internet, and that any such transmission is at your own risk.

Once we have received your personal data, we will use strict procedures and security features to prevent unauthorised access (and take steps to ensure that any third parties with whom we share your personal data do the same).

Further questions or making a complaint

If you wish to exercise any of your rights or have concerns about the processing of your personal data or wish to raise any issues in relation to data protection, including in relation to the use of it by Railways Pension Trustee Company Limited, RPMI Limited or the Pensions Committee for your Section, please contact the Data Protection Officer at RPMI:

Data Protection Officer
RPMI
Stooperdale Offices
Brinkburn Road
Darlington
Co Durham
DL3 6EH

Tel 0800 012 1117
Email csu@rpmi.co.uk

If you are unhappy with how your personal information is being handled, you also have the right to make a complaint to the Information Commissioner’s Office, an independent body set up to uphold information rights, which will investigate your complaint.