How we use your information
We collect and process your personal data for the following reasons:
- to administer and manage the Scheme and the Funds, including paying you any benefits you are entitled to under them (as applicable);
- to communicate with you about your benefits, and the Scheme and the Funds in general;
- to trace you and other beneficiaries;
- to establish your identity and eligibility for benefits;
- to obtain actuarial, statistical and financial modelling calculations in order to inform and guide the Trustee about Scheme and Fund investment and funding matters;
- to record and update member records to ensure information is correct and to prevent and detect fraud;
- to prepare accounts for the Scheme and the Funds, and to assist Railpen’s auditors;
- to pay tax charges, including reporting to HM Revenue & Customs;
- to support Railpen’s compliance with legal obligations, such as reporting to relevant authorities, independent regulators, and government bodies, including to respond to compulsory questionnaires from the Pensions Regulator and Office of National Statistics (these are usually completed on an anonymous basis);
- to comply with Railpen’s legal obligations, any relevant industry or professional rules and regulations or any applicable voluntary codes;
- to maintain compliance with internal policies and procedures; and/or
- to comply with court orders and/or in connection with legal proceedings or disputes.
If we wish to use your personal data for any other purpose, we will update this privacy notice.
Information we collect from or about you
We may collect and process the following types of personal data about you and, in some circumstances, your spouse, civil partner, partner or dependants, including but not limited to:
- contact details such as name, home address, telephone number and personal e-mail address;
- national insurance number;
- gender and date of birth;
- marital status, next of kin and family / dependants;
- dates on which you joined and left pensionable service;
- financial details such as your salary information;
- information relating to any pension sharing or earmarking order (if your marriage or civil partnership ends);
- information about pension benefits you have accrued, investment choices and death benefit nomination forms;
- tax information and any protections that you may have in relation to your pension benefits; and/or
- your bank account details.
This information may be obtained from your current or former employer, government agencies, any financial or other adviser or representative acting on your behalf, service providers that allow us to verify the accuracy of your personal details (for example, to trace your current address or to verify your continuing existence), and from yourself.
In certain circumstances, we may ask you for information relating to your health, for example, if you apply for ill health benefits. In some circumstances, additional medical information may be required from your doctor or appropriate medical advisor. We will explain to you at the time why we need that information and how we intend to use it. When we need to, we will ask for your consent to use your health information.
You do not have to provide the information requested from you, but there may be a delay in the payment of your benefits if that information is not provided.
You may also need to provide us with personal data relating to other people (for example, your spouse, civil partner or dependants) for example when completing a nomination form. When you do so, you will need to check with them that they are happy for you to share their personal data with us and for us to use it in accordance with this privacy notice.
If you are acting on behalf of a child, may also process your personal data, which will be dealt with in accordance with this privacy notice.
What is our lawful basis for processing your information
Under applicable data protection legislation we must have a legal basis to process your personal data and this will be:
- to comply with our legal and regulatory obligations;
- to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
- where we have obtained your consent;
- to perform our contractual obligations; or
- for our legitimate business interests, such as:
- to administer and manage the Scheme and the Funds, including paying you any benefits you are entitled to under them (as applicable);
- to communicate with you about your benefits, and the Scheme and the Funds in general;
- to trace you and other beneficiaries;
- to establish your identity and eligibility for benefits;
- to obtain actuarial, statistical and financial modelling calculations in order to inform and guide the Trustee about Scheme and Fund investment and funding matters;
- to record and update member records to ensure information is correct and to prevent and detect fraud; and/or
- to maintain compliance with internal policies and procedures.
In certain circumstances, we will need your consent to collect and process your personal data; this is most likely where we are collecting information relating to your health (for example, in applying for ill health benefits). If we are processing your personal data on the basis of your consent, you can withdraw your consent at any time by contacting RPMI’s Data Protection Officer (details set out in the “How to contact us” section below).
Disclosure of your information to third parties
From time to time, we may need to share your personal data with third parties. The types of third parties we may need to share some of your personal data with include:
- your current or former employer;
- pension schemes with which the person whose personal data we are processing has an association;
- our professional advisors, including:
- the Scheme or Fund actuary – this is an actuary who is personally appointed to provide advice on the funding of the Scheme or Fund. The actuary will be supported by an actuarial team who will also have access to your personal data;
- the Scheme or Fund auditor – they prepare the Scheme's or Fund’s annual accounts and audit them for us; and
- the Scheme or Fund legal advisor – they advise us on all legal issues affecting the Scheme or Fund;
- government agencies (for example, HM Revenue and Customs);
- ombudsmen and regulatory authorities;
- companies that provide services to us, such as printers, IT and communication providers, including providers of email archiving, back-up and disaster recovery and cyber security services;
- with our business partners who are contractually obliged to comply with appropriate data protection obligations; and/or
- third parties in order to verify your identity as well as to prevent and detect fraud. This would involve a ‘soft’ credit check from a credit referencing agency. They are visible on your credit report but don't show up in the same way as a 'hard' check and do not affect your credit rating.
Your personal data will also be disclosed to third parties:
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or any lawful request from any legal or regulatory authority; and/or
- to respond to any claims, and to establish, exercise or defend our legal rights.
Details of all of the main advisers to the Scheme are available in the Scheme's annual report and accounts, which are available on request by writing to us.
Most third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data for the specific purposes identified by us.
Certain third parties are independent controllers of your personal data. Typically this is because they are subject to legal or regulatory obligations. As such, they will be responsible for their own processing of your personal data to the extent that the processing activities relates to those obligations. The Scheme and Fund actuary and our professional advisors are typically independent controllers:-
- Willis Towers Watson provides actuarial services for the Railways Pension Scheme and the British Railways Superannuation Fund and is an independent controller in respect of your personal data which it processes to provide these services. Its privacy notice is available at www.willistowerswatson.com/personal-data
- XPS Pensions Group provides actuarial services for the BT Police Superannuation Fund and is an independent controller in respect of your personal data which it processes to provide these services. Its privacy notice is available at https://www.xpsgroup.com/legal-regulatory/privacy-policy
How long do we retain your information
How long we hold your personal data for will vary. The retention period will be determined by various criteria including:
- the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
- legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.
As pensions are a long-term saving vehicle, it may be necessary to retain your personal data for the remainder of your life and any dependants’ lives in order to administer the Scheme and Fund, and to deal with any questions or complaints we may receive about them.
When we no longer need your personal data, we will ensure that it is securely destroyed.
Transferring information outside the UK
In certain circumstances, your personal data may be transferred outside of the UK.
If we transfer personal data outside of the UK (for example to one or more of our service providers), we will take appropriate measures to ensure that your personal data is adequately protected in a manner which is consistent with this privacy notice and in accordance with applicable data protection law. This can be done in a number of ways, for instance:
- the country that we send your personal data to might be approved by the UK Government as having adequate level of protection; or
- the recipient might have signed up to a contract based on “model contractual clauses” approved by the Information Commissioner’s Office, obliging them to protect your personal data.
In other circumstances the law may permit us to otherwise transfer your personal data outside the UK. In all cases, however, we will ensure that any transfer of your personal data is compliant with applicable data protection legislation.
The majority of our core systems, data, and administration services are all carried out and stored within the UK.’ However, TCS an international information technology service provider, based in India, provides maintenance support. Therefore, on rare occasions it may be necessary to transfer your data overseas to TCS.
As India is currently not on the UK Government’s list of countries providing adequate data protection, RPMI and TCS have entered into a data protection contract using the approved form of the model contractual clauses. These clauses contain enforceable data subject rights and effective legal remedies for data subjects against TCS.
You can obtain more details of the protection given to your personal data when it is transferred outside the UK (including a copy of the model contractual clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “How to contact us” section below.
Your rights
You have a number of legal rights in relation to the personal data that we hold about you. These rights include:
- the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
- the right to withdraw your consent to our processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so;
- the right to receive your personal data (in a structured, commonly used and machine-readable format) and to request that we transfer your data to another service provider or data controller where technically feasible. This right applies where your data is being processed on the basis of your consent or in line with a contract to which you are party. Please note that, for the majority of members, this is not applicable as we generally rely on our legitimate business interest to collect and process your data rather than individual consent or contracts;
- the right to request that we rectify your personal data if it is inaccurate or incomplete;
- the right to request the we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are legally entitled to retain it;
- the right to object to, and the right to request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled to continue processing your personal data and / or to refuse that request; and
- the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.
You can exercise your rights by contacting our Data Protection Officer using the details set out in the “How to contact us” section below.
You can find out more information about your rights by contacting the Information Commissioner’s Office, or by searching their website at https://ico.org.uk/.
How do we keep your information secure
We are committed to protecting your personal data from loss, misuse, disclosure, alteration, unauthorised access and destruction. We take all reasonable precautions to safeguard the confidentiality of personal data.
Although we make every effort to protect the personal data which you provide to us, the transmission of information over the internet is not completely secure. As such, you acknowledge that we cannot guarantee the security of personal data transmitted to us over the internet, and that any such transmission is at your own risk.
Once we have received your personal data, we will use strict procedures and security features to prevent unauthorised access (and take steps to ensure that any third parties with whom we share your personal data do the same).
Other websites
Our websites contain links to other websites. Our privacy notice applies only to our website, so if you click on a link to another website, you should exercise caution and look at the privacy notice applicable to the website in question.
How to contact us
If you wish to exercise any of your rights or have concerns about the processing of your personal data or wish to raise any issues in relation to data protection, including in relation to the use of it by Railpen, please contact the Data Protection Officer at:
Data Protection Officer
RPMI
Stooperdale Offices
Brinkburn Road
Darlington
Co Durham
DL3 6EH
Tel: 0800 012 1117
Email: csu@rpmi.co.uk
If you are unhappy with how your personal information is being handled, you also have the right to make a complaint to the Information Commissioner’s Office (www.ico.org.uk), an independent body set up to uphold information rights, which will investigate your complaint.
Changes to this notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This privacy notice was last updated in March 2021.
