Privacy policy – Retirement benefits plan

Our Privacy Policy applies to personal data collected and used by St Dunstan’s Retirement Benefits Plan (1973). Under data protection law and regulation, we are a ‘data Controller’ and are registered as such with the Information Commissioner’s Office (Registration Reference Number: (ZA356585).

The Plan and its Trust was established by St Dunstan’s (now the Blind Veterans UK Group) as the Principal Employer to manage, administer and pay the appropriate scheme benefits to members and nominated beneficiaries.

References to “the plan”, “the scheme”, “Trust”, “Trustees”, “our’, ‘us’, and "we" means St Dunstan’s Retirement Benefits Plan (1973).

For the purposes of the scheme we are Joint Controllers with Blind Veterans UK (UK registered charity 216227) sharing responsibility for determining the purposes and means of the processing of personal data as defined in UK-GDPR 2020. Barnett Waddingham is a Data Processor as our scheme administrator. Additionally, Barnett Waddingham also process personal data as the scheme Actuary. When exercising that function they are a data Controller in their own right. Individuals should refer to their privacy policies to understand how they process and treat personal data. Links to these policies are in Section 9 “How to Contact Us’.

What we need to collect

For data to be considered ‘personal’ it must relate to an identified or identifiable individual. An individual can be identifiable either directly (a name, address, email address etc.) or indirectly (current or previous job title, payroll number, location, business phone number). Where there is insufficient data to identify an individual from a group that is not personal data. If identifiable data is used but the use does not relate to a specific individual that would also not be personal data. We need to process personal data about our scheme members to allow us to provide the appropriate pension and benefits.

As a member of the scheme, we will process personal data for the purpose of setting up, administering, maintaining, calculating and paying pensions accurately to scheme members and appropriate dependents. We do this while also meeting our legal obligations and pursuing our legitimate interests as pension plan trustees.

This may include:

• Name.
• Contact details (Postal address, telephone number, email address)
• Date and place of birth.
• Gender (Recorded at birth for HMRC purposes)
• National insurance number.
• Career, unpaid leave, retirement details, membership status (in-service deferred, deferred or pensioner), details of last change in status.
• Banking, salary, pension payment, AVC contributions, tax details and Guaranteed Minimum Pension entitlement.
• Spouse and nominated beneficiary details.
• Health details.

We will be very clear when we wish to collect such personal data and our reason for collecting it. We will only do so when we have a lawful basis for processing as required by UK-GDPR and DPA 2018.

UK Data protection law and supporting regulation recognises certain personal data as ‘special category’ data and as being particularly sensitive. This includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain such data. This is most likely to be health details (e.g. in the case of ill health early retirement), where we need to consider discretionary benefits or appropriate pension payments.

When providing necessary special category or personal data either at our request or voluntarily, you explicitly agree that we may collect and use it in order to provide our services in accordance with this privacy policy.

The accuracy of personal data we process is really important to us. To update, amend, add or correct any personal data we hold, please contact us using the contact details in Section 9 of this policy.

Why we need it

We need scheme member’s personal data in order to perform functions such as:

• Statutory Requirements. Whether an individual is a deferred member or a current pension beneficiary, we need to comply with legal, audit and actuarial obligations as required by pension law.
• Administer and manage the Pension Plan. Whether an individual is a deferred member, a pension beneficiary or a dependent, the Blind Veterans UK Group payroll systems needs to calculate monthly retirement benefits, the value of pensions and AVCs, other benefits and entitlements such as a trivial commutation, transfers and payment details. We also need to be able to calculate the value of the pension fund.
• Communicate with scheme members. To know how scheme members prefer to be contacted and to make adjustments as specified. To provide scheme members with specific services, updates and information. To assist with technical problems related to our services.
• To improve our services and administration. To ensure the most efficient and appropriate use of the resources we have.

We collect personal data about scheme members in a variety of ways. We may collect personal data directly when we ask, or we may collect data indirectly, when it is available from other sources, such as HMRC or tracking agents.

Direct from scheme members

Scheme members will give us personal data directly, during the pension application process and subsequently when managing or amending pension requirements. Scheme Members will also give us personal data if when communicating with us or asking us to consider specific individual entitlements or adjustments.

Indirectly from other sources

We may obtain Scheme Members personal data indirectly when permission is provided to others/3rd parties to share it or it is publicly available, such as from:

• Third party organisations or individuals. We may obtain personal data from third parties if consent to share has been provided for a specific purpose. This could apply if an individual has agreed a 3rd party can approach us or we can approach them, for example a legal representative or health care agency. We may also obtain personal data about scheme members from official sources as part of enabling pension services, such as HMRC for tax purposes or for the purpose of paying appropriate pensions using the scheme’s Actuary’s data.
• Publicly available sources. Public information may include personal data information from places such as Companies House, the electoral register. Additionally, the Post Office’s National Change of Address database allows us to keep personal data up to date.

Data protection law and regulation require us to have a lawful basis for processing personal data. These include:

• To protect the vital interests of an individual or another person. If we believe that the safety and or security of an individual, or a third party is at imminent risk of harm, UK law allows a controller to use personal data specifically to minimise that harm to protect life. We acknowledge, we have a duty to protect individuals, this lawful basis permits us to process personal data in these specific and unusual circumstances. This lawful basis will only be used when necessary.
• To comply with a legal obligation. For example, where we are ordered to do so by a court or regulatory authority or we are legally required to process personal data such as tax records, pension payments and actuarial services.
• In performance of a contract. To fulfil the requirements of the contract such as payment of Additional Voluntary Contributions (AVCs) to a contracted 3rd party provider.
• Where we as a pension scheme have a legitimate interest. Where we have a legitimate interest, we must ensure that we are not harming individual interests or individual data rights and only use personal data in a manner that would reasonably be expected of us. For example, we need to administer and manage individual pension plans and need to be able to contact and communicate with scheme members for pension purposes or to certify current status and details.
• Where consent has been given for a notified purpose(s). This may include when we require special category health details to consider benefit entitlements or when considering a transfer in or out of the scheme. Where we need consent, or in some cases explicit consent it will be clearly identifiable for a specific purpose.

Where we process special category personal data (such as health) we will ensure we do so in accordance with at least one of the required processing conditions within Article 9 of UK-GDPR. For example, obtaining explicit consent when necessary for carrying out our obligations as a pension provider.

Protecting personal data

We ensure that there are reasonable and appropriate technical and organisational controls in place to protect personal data against unauthorised or unlawful processing and against accidental loss, corruption, destruction or damage. We make use of the Blind Veterans’ UK Group Microsoft 365 IT environment as our Joint Controller. Their devices, computers, online systems and IT environment infrastructure is protected and routinely monitored. We and they have policies and procedures in place which Trustees and staff are expected to comply with and for which they receive training.

Managing access and sharing of personal data

We undertake regular reviews of who has access to personal data which we hold to ensure that it is accessible only by necessary and appropriately trained trustees, employees, representatives and trusted third parties. Where we share personal data with a third-party processor, such as Barnett Waddingham the scheme administrator, or our auditors, AVC providers, legal advisors, we require that they have appropriate technical and organisational measures in place to protect personal data, at a standard equal to our own.

On rare occasions, we may be compelled by law to disclose personal data to a third-party, such as law enforcement agencies, the UK courts or government bodies (e.g. HMRC) and we have limited control over how it is protected by that party.

Occasions, other than by law, when we may share personal data include:

• Where we are acting on consent to do so.
• When we use external service providers to process personal data on our behalf, for example, providing pension administration, tracing and actuarial services. A list of data processors used is included at the end of this document.
• If we believe that we need to protect the rights, property or personal safety of the scheme or Blind Veterans UK and their personnel, scheme members and for other lawful purposes.
• We may disclose aggregate statistics about our pension to describe our scheme and for audit purposes, but these statistics won’t include any personally identifying data without explicit consent.
• If we or Blind Veterans UK (as Principal Employer) merge with another organisation or partly diversify forming a new entity, personal data will be transferred to the new entity within the limits of UK law.

We will never rent, share, swop or sell personal data to other organisations for our or their own purposes or to make money out of personal data we hold as a controller.

Where we store personal data

The personal data provided to us will be held within the Blind Veterans UK Group’s Microsoft 365 Environment IT network. Where we have contracted with a third party to process personal data it will also be processed on their own IT systems and servers on our behalf. As a deferred member or a current pension beneficiary pension related personal data will be processed by CoreHR on behalf of Blind Veterans UK payroll. All CoreHR processing of client personal data is limited to servers located within the EU. This processing is permissible due to the fact the UK has data been acknowledged as meeting protection “Adequacy” with the EU.

The Trustees of the St Dunstan’s Retirement Benefits Plan (1973) and the Blind Veterans UK Group, do not process scheme member’s personal data on servers located outside of the UK. If the circumstances for the processing of personal data needed to change, we will put in place, where appropriate, safeguards to protect this personal data and any corresponding data rights. If we need to transfer your personal data to a location outside of the UK, we will ensure if there is not an active “Adequacy” agreement in place we will conduct an appropriate risk assessment and put in to place appropriate “additional measures” to safeguard personal data and individual rights, such as the use of Standard Contractual Clauses (SCC). If the transfer is a one off or infrequent we may ask a scheme member for explicit consent to validate and conduct the transfer when the details of the transfer have been provided.

The EU have recently agreed a data transfer agreement with the USA. The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, similar to the privacy shield. From 12 October 2023, organisations in the UK can start to transfer personal data to US organisations certified with the “UK Extension to the EU-US Data Privacy Framework”. However, this new framework is not an adequacy decision, it does not allow for the free transfer of personal data to the US. The operation of the framework has restrictions, e.g. it cannot be used by banking, insurance, and telecommunication organisations. Where the new framework cannot be used to transfer personal data to the US, Blind Veterans UK will continue to use either the SCCs or the UK’s IDTA. 

The law requires we hold personal data for only as long as is necessary. We process and retain personal data to fulfil the purposes for which the data was collected (managing and administrating the pension plan) and our legitimate interests or in order to comply with legal or regulatory obligations, rules and requirements.

On a scheme members death, we will retain specific personal data in order to continue to administer appropriate benefits to any nominated beneficiaries and to meet any legal or regulatory requirements or to protect our legitimate interests and for legal purposes, for example in the event of a dispute. Note: Information related to a deceased person is no longer subject to data protection legislation. However, personal data provided to us (which is not in the public domain) for pension plan purposes is provided on the expectation that it will kept confidential, this will continue to apply after the death of the individual, this personal data is thereby protected by the common law duty of confidentiality.

We manage the retention of personal data with the use of the Blind Veterans’ UK Group Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.

• Retained as Live data only……………….………. 1 year
• Record(s) of Activity and or a Process………….. 3 years
• Evidence or Compliance………………………….. 6 years
• Governance Purposes……………………………. 7 years
• Legal (Pensions, Property, Safeguarding)…..… 12 years
• Permanent retention (subject to review)…….… (Life of charity)

Although the St. Dunstan's Pension Plan has no website of its own, we make use of the Blind Veterans UK Group website, for example to access this privacy policy, it is recommended that scheme members should read their privacy policy to understand what personal data they may gather about you by doing so using such technologies such as cookies.

The UK’s data protection framework includes two primary pieces of legislation, UK-General Data Protection Regulations 2020 (UK-GDPR) and Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This UK legislation gives everyone a number of very important rights. In abbreviated form these are:

• The right to be informed. Transparency over how we use personal data. This Privacy Policy is required under this right.
• The right of access. Request confirmation of processing and to be provided with copies of an individual’s personal data held by us.
• The right of rectification. Update or amend the information we hold about a scheme member if it is incomplete or inaccurate.
• The right to erase or ‘right to be forgotten'. An ability to ask us to remove personal data from our records where there is no compelling reason for its continued processing, subject to specific exemptions.
• The right to object. An ability to object to the processing of personal data for certain purposes (such as marketing, research, statistics or our legitimate interests).
• The right to restrict processing. An ability to ask us as a contoler to supress the processing of personal data subject to qualifying criteria.
• The right to data portability. An option to obtain and reuse your personal data for your own purposes.
• Rights in relation to automated decision making and profiling.

To know more about individual rights under the data protection law see the Information Commissioner’s Office (ICO) website which also explains how to contact them.

Remember, these rights can be exercised at any time in relation to the processing of an individuals personal data. To request an individual right contact us using the contact details set out in the ‘How to contact us’ in section 9 of this policy.

Individuals if not satisfied with our response or believe we are not processing their personal data in accordance with the law and or individual rights, after engaging with us to discuss any concerns can complain directly to the Information Commissioner’s Office at:

Post: Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113.
Online: www.ico.org.uk/make-a-complaint/your-personal-information-concerns/

To raise any comments or questions regarding this Privacy Policy or to discuss how we process personal data, enquire about individual rights or make a complaint, you are very welcome to do so. Contact our Data Protection Officer at:

Post: Data Protection Officer
Blind Veterans UK, 126 Fairlie Road, Slough, SL1 4PY
Phone: 020 4534 1127 (direct dial)
Online: dpo@blindveterans.org.uk

Other scheme related Controller details

The scheme Actuary’s (Barnett Waddingham ) privacy policy is at the following link, which includes details of how to contact them if required: https://privacy.bwllp.co.uk/clients/St-Dunstans-Retirement-plan-GDPR-Privacynotice.pdf

Appendix 1: List of data Processors