The Government has restated its commitment to delivering pensions dashboards in a written statement.
Pension providers, schemes and ISPs privacy notice
Who we are
We are the Pensions Dashboard Programme (PDP), part of Money and Pensions Service (MaPS). Our contact details are:
- email: [email protected]
- post: Money and Pensions Service, Bedford Borough Hall, 138 Cauldwell Street, Bedford, MK42 9AP
MaPS’ Data Protection Officer contact details are:
- email: [email protected]
- telephone: 020 7943 0500
Privacy notice
This notice covers our processing of your personal information as a contact for personal pension providers and occupational pension schemes (pension providers and schemes) or for third-party organisations connecting on behalf of pension providers and schemes who are connecting to the pensions dashboards ecosystem. It explains why and how we collect and use your personal information to support the use of dashboards.
As we are the data controller of your personal information, we decide the legal basis, means and purposes for the collection, processing and storing of this personal information. To help us we are using Capgemini and Origo. They are our data processors of your personal information.
This notice applies in addition to the MaPS privacy notice which includes processing for other purposes.
Personal information
‘Personal information’ means information about a living individual who can be identified from that information. Identification could be from this information or when it is combined with other information.
Personal information also includes personal identifiers. This could be an identification number, location data, an online identifier, or pseudonymous data.
No sensitive or special category information, such as information relating to gender, sexuality or religion for example, is processed by us as part of pensions dashboards. We do not knowingly collect data relating to children as part of pensions dashboards.
Purpose of processing
A pension provider or scheme or a third party organisation connecting on behalf of a pension provider or scheme is required to supply and keep up-to-date contact information when connecting to the pensions dashboard ecosystem. This contact information is your personal information. It is this information that we are processing.
We only use, share or store your personal information where it is needed for us to conduct our lawful dashboard activities. This will mainly include contacting you as the pension provider/scheme’s nominated contact to manage the provider/scheme’s connection. We will do this on the public task lawful basis, as it we are required to use this contact information to be able to manage the pensions provider/scheme’s connection to the pensions dashboard ecosystem.
To provide you with a better, safer service, we will also process your personal information: to run management and corporate reporting; to develop, to test, to monitor and to review the performance of services, internal systems and security arrangements; and for staff training. Whenever possible, when processing your personal information for these purposes it will be anonymised, so no one can identify you.
Cookie policy
Read our cookie policy.
Your rights
We respect an individual’s right to privacy and the protection of their personal information. We have a responsibility to protect this information and ensure its confidentiality, integrity and availability. We also want you to be in control of your personal information and respect your data protection rights.
Informed – we always explain to you why, and how, personal information about you is being processed under the public task lawful basis for processing.
Objection
As we are processing your personal information on the basis of public task, you have a right to object to us processing your personal information (and to request us to restrict processing) for the purposes described in the ‘purposes of processing’ (above). However, this right is not absolute, and we can refuse the objection if we can demonstrate compelling legitimate grounds for the processing which override the interests and rights of the individual. Our processing of your personal contact information to manage pension providers’/schemes’ connection is necessary to deliver the central digital architecture pursuant to our statutory functions.
Access and rectification
You can do this at any time through our connection portal or by contacting [email protected].
There is no automated decision-making or profiling and as we need to be able to process all of your personal information in respect of the service we provide. Also, as the lawful basis for us processing your personal information is public task the erasure and portability rights are not applicable.
In some cases, we might decide to keep information, even if you ask us not to. This could be for legal or regulatory reasons. We will always tell you why we keep the information in line with our [retention schedule].
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of your other UK GDPR rights).
However, we may charge a reasonable fee if we think your request is unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
How we use and share your information
We will only share your personal information:
- where required to by law
- where required to assist regulator, law enforcement agencies or government entities
- where required for a re-organisation, transfer or other transaction relating to our business
- where permitted by law or it is necessary to fulfil our statutory objectives (or those of a third party) and it is consistent with this Privacy Notice
In other circumstances, when we share information with third parties, it is on an anonymous (whenever possible) and limited basis.
How long we keep your information
Our approach when deciding how long to keep information:
- retention periods depend on the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements
- we will only retain your personal information for as long as needed to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements
- we retain personal information for a limited time to improve operational effectiveness and your user experience
We have applied our approach when setting our retention period in respect of your personal information and the period is [TBC]
Sometimes we may retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by a regulator or a law enforcement agencies, if there is the prospect of litigation or a complaint. This ensures we can produce records as evidence.
Security
We are committed to ensuring that your information is held securely. We also take various steps to keep secure the information you provide and protect it from loss, misuse and unauthorised access or disclosure.
Processing of your personal information is carried out only on our instructions by the person authorised to access your data.
We have a data processing agreement with Capgemini and Origo to make sure your personal information is secure and protected. Our employees, Capgemini and Origo are all subject to a duty of confidentiality.
We also run website scanning and penetration test activities to test the current state of our technology.
If a security breach causes an unauthorised intrusion into our system that materially affects you or the privacy of your data, we will notify you as soon as possible. We will also notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
Data storage
Whenever we transfer your personal information out of the UK, it will be transferred to a country with at least an equivalent data protection regime to the UK.
Contact us and communicating with us
If you have any queries about how we use your personal information that are not answered here, or if you wish to complain to our Data Protection Officer, please contact us at [email protected] or 020 7943 0500. Find out more about the MaPS privacy notice.
If you are in contact with us or our suppliers, we may process your personal information under a variety of means (including via email, post and/or telephone). You should let us know if your contact details change or no longer want us to contact you. We may monitor or record this contact, including under other communications, such as by text.
Our address is Money and Pensions Service, Bedford Borough Hall, 138 Cauldwell Street, Bedford, MK42 9AP and you can email us at [email protected].
More information about MaPS can be found on the MaPS website.
We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO).