1. Introduction
Brightwell are registered at One America Square, 17 Crosswall, London, England, EC3N 2LB (“we”, “us” or “our”) and are data controllers for any relevant Data Protection Regulations, including EU GDPR, UK GDPR and DPA 2018). We are committed to protecting and respecting your privacy.
This Privacy Notice sets out the basis on which we will process any personal data we collect from you, or that you or third parties provide to us, in connection with your membership in the Scheme and which relates to you or to any individual connected with you.
Please read this Privacy Notice (“Notice”) carefully so that you understand your rights in relation to your personal data, and how we will collect, use, and process your personal data.
In a situation where you provide us with your personal data to share with a third party who will provide a service to you directly, they are the data controller of that personal data and you are strongly advised to review their own privacy notice for details as to how they handle your personal data.
This Notice explains our policy in relation to:
- what information we collect about you,
- how we use your information,
- who we share your information with,
- where and how long we will keep your data,
- how we keep your information safe,
- your rights regarding the personal information you provide to us,
- technical information that we collect about you (including via the use of cookies on our website), and
- who you can contact if you have questions or complaints about how we process your personal data.
2. Information we collect about you and how we use it
You and your employer provide certain information to us in relation to your membership of the Scheme when using the online pensions portal which enables members to manage their membership in the Scheme (the “Pensions Portal”) and when visiting and/or contacting us online, by phone, email, post or any other engagement or correspondence that you or your employer may have with us.
You acknowledge that we may collect, use, process and transfer your personal data as set out in this Notice.
The Scheme reserves the right to change this Notice from time to time and you should therefore check this page frequently to ensure that you are happy with any changes. We will ensure that your personal data is handled in accordance with this Notice.
3. What types of personal information do we collect about you?
We hold the following personal information about you:
- personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number,
- marriage, partnerships and marital history, details of family and dependants,
- employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, voluntary deduction choices, benefits, grants and insurance details,
- information on your trade union membership, if you are a member in receipt of a pension and have opted into paying a trade union directly from your pension receipts,
- if you are involved in an appeal in relation to an early retirement due to ill health decision, relevant details in relation to your physical and mental health, and
- technical information and other information about your visits to our website and the Pensions Portal – you can find more information about this below.
If you provide us with information about someone else, for example your family members and dependants, we will assume that you have their permission to do so. We will process their personal data in accordance with this Notice. Please let them know you have provided their information to us and encourage them to read this Notice.
4. How do we use your information
We will use your personal information for the purposes of administering and managing the Scheme. We may receive information from third parties who collect your personal data and pass it on to us. For example, a claim organisation contacts us on your behalf. Where this is the case, the third party is responsible for obtaining the relevant consents from you to ensure you are happy with the ways in which your personal data will be used.
More information on the purposes for which we process your data and the legal bases for this processing can be found in additional information.
5. Who we share your personal data with
We do not sell, rent, or lease your personal information. We share your information with selected recipients as set out in this Notice. This includes sharing information with those who are involved in the running of the Scheme, those who aid us to run the Scheme, those who sponsor or oversee the Scheme, and those who may have a legal or regulatory right to request such information. Please see section 15.2 “Who Do We Share Your Personal Data With” for more information about who your personal data is shared with.
6. Where do we store your personal data
The information that we collect from you will be transferred to and stored at/processed in the UK/EEA. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Notice.
We will only transfer your information outside of the UK/EEA where we have your consent and there are adequate measures in place to provide appropriate safeguards such as Model Clauses (Standard Contractual Clauses (SCCs) produced by the EU Commission) and other appropriate safeguards such as (Code of Conduct and Certification). Please see section 15.5 “Transfer Mechanism” for more information about Transfer Mechanisms.
7. Keeping your information safe
The transmission of information via the internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through this website or over email; any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access, or modification.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping such password confidential. Please do not share your password with anyone.
8. How long will we keep your personal data
Pension benefits are paid over a long period and your right to benefits payable under the Scheme is based on information that may date back many years. We will decide to delete some of the data held in relation to you after 6 years. However, your personal information may be held for longer where:
I. it is required by law or a court order,
II. it is needed to establish, exercise, defend or pursue legal claims,
III. we consider it is necessary to ensure the Scheme pays the correct benefits,
IV. to deal with any queries relating to your benefits as they may arise after that time, and
V. to protect the rights of another natural or legal person.
After the retention periods have elapsed, we will store your information in an aggregated and anonymised format.
9. Your rights regarding the personal information you provide to us
You have certain rights in relation to the personal information we hold about you, which we detail below. Some of these only apply in certain circumstances as set out below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before we respond to any of your requests. We must respond to a request by you to exercise those rights without undue delay and at least within one calendar month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please complete the Data Subject Rights Request Form.
Name of Rights |
Right Description |
Right of Information |
You have the right to know the personal information we hold about you, how we use it, who we share it with and how long we keep your personal data. |
Right of Access |
You have the right to know whether we process your personal information, and if we do, to access information we hold about you, how we use it and who we share it with.
If you require more than one copy of information, we hold about you, it is free of charge, unless we deem it necessary to charge you an administration fee.
We may not provide you with certain personal information if providing it would interfere with a person’s rights and freedom (e.g., where providing the personal information would reveal information about another person) or where another exemption applies.
Please See “how long will we keep your personal data”.
|
Right to Rectification |
The accuracy of the information we hold about you is important to us. Under the DPA 2018 and EU GDPR, you have the right to access the information we hold about you and have any inaccuracies corrected. Where you request correction, please explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required.
Please note that whilst we assess whether the personal data, we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data. |
Right to Erasure |
This is also known as the “right to be forgotten”. Please see section 15.3 “Your Right to Erasure” for more information about the circumstances in which you may request that we erase the personal data we hold about you. |
Right to Data Portability |
You have the right to receive a subset of the personal data we collect from you in a structured, commonly used, and machine-readable format and a right to request that we transfer such personal data to another third party. Please see section 15.1 “Legal Bases of Processing” for more information on the data we hold.
|
If you wish for us to transfer the personal data to another third party, please ensure you detail that third party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal data or it’s processing once received by the third party. We also may not provide you with certain data if providing it would interfere with right and freedom of another person (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property). |
Restriction of Processing to Storage Only |
You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g. for the defence of legal claims or to protect to right and freedom of another person.
Please See “how long will we keep your personal data”.
Please see section 15.4 “Restriction of Processing to Storage Only” for more information on the circumstances in which you may request that we stop processing and just store the personal data we hold about you.
|
Making a Complaint |
You have a right to lodge a complaint with relevant data protection supervisory authorities. In the UK, it is the Information Commissioner’s Office (ICO). |
Contact the ICO – details are on the ICO website. |
10. Third Parties
We may share your personal data with a third party where it is necessary
- 1. for the performance of the services you have requested
- 2. for us to comply with our legal obligations or
- 3. for our legitimate business interest.
11. Technical information (including cookies) that we collect about you
When you visit our website, we collect technical information about your computer, such as your internet protocol address (which is a number that can uniquely identify a specific computer on the internet), time zone setting, your login information, browser type and version, browser plug-in types and versions, operating systems and platforms.
We use cookies to collect information about your browsing activities over time following your use of our services. This allows us to recognise and count the number of users and to see how users navigate on our website when they are using it. This helps us to improve the services we provide to you and the way our website works.
12. Complaints
If you wish to make a complaint about how we process your personal data, please contact us using the contact details below and we will endeavour to deal with your request as soon as possible. This does not interfere with your right to raise a complaint with a relevant data protection supervisory authority.
13. Changes to our Privacy Notice
Any changes we make to our Privacy Notice in the future will be updated on this page. Please check back frequently to see any updates or changes to our Privacy Notice. Any changes to this Notice will become effective when we post the revised Privacy Notice on our website.
Your use of the website, or continued participation in the Scheme, following these changes means that you accept the revised Privacy Notice. It is your responsibility to ensure that you are aware of the latest version of this Notice.
If you have any questions, comments or requests regarding any aspect of this Notice, please do not hesitate to contact us as soon as possible at:
By post: BT Pension Scheme, Sunderland, SR43 4AD
By email: dpqueries@btps.co.uk
By phone from within the UK: 0800 731 1919
By phone from outside the UK: +44 0203 0233420
15.1 Legal Bases of Processing
Category of Personal Data |
Purpose for Processing |
Legal Basis of Processing |
Personal details such as your name, gender, age, date of birth, email address, postal address, telephone or mobile number and identifiers such as national insurance number |
- In relation to any correspondence (including queries relating to your membership of the Scheme via the Pensions Portal or our call centre) for the purpose of administration of the Scheme
- To notify you about our services and changes to our services
- To conduct member satisfaction surveys
- For internal record keeping
- To verify your identity, to prevent and detect fraud and to comply with our legal and regulatory obligations
|
-
Performance of a contract as required by the Scheme
-
Legitimate interests to run an effective business
|
Personal details and family, lifestyle and social circumstances such as details about current marriage and partnerships and marital history, details of family and dependents |
- To carry out our obligations arising from any agreement that we have with, or concerning you and to provide you with the information, benefits and services that you request from us
- Risk management including credit risk analysis and the insurance of longevity risks and related demographic risks
|
-
Performance of a contract as required by the Scheme
-
Legitimate interests to run an effective business
|
Personal details and employment details such as pensionable pay, length of service, employment and career history, recruitment and termination details, attendance record, health and safety records, security records, job title and job responsibilities, financial details such as income, salary, assets and investments, bank account details to process pension payments, benefits, grants and insurance details |
- To administer the Scheme including to process data to calculate and pay benefits
- To comply with any present or future law, rule, regulation, guidance, or directive, and complying with any industry or professional rules and regulations or any applicable voluntary codes
- To comply with any present or future requests received from BT plc
- To comply with requests made by local and foreign regulators, governments, and law enforcement authorities, and complying with any subpoena or court process, or in connection with any litigation
|
-
Performance of a contract as required by the Scheme
-
Legitimate interests to run an effective business
|
Personal details and pension entitlement |
- To comply with and carry out your instructions in relation to your benefits and investment choices including in relation to additional voluntary contributions and voluntary deductions, (e.g. charities and trade unions) where applicable
|
- Performance of a contract
- Legitimate interests to run an effective business
|
Personal details and details in relation to your physical and mental health |
- Compliance with our legal obligations
- Necessary for carrying out our legal obligations in the field of social security law
|
- Legitimate interests to run an effective business
- Explicit consent
|
Technical information and other information about your visits to our website/Pensions Portal |
- To improve the service we provide to you and the way our website and Pensions Portal works
|
- Legitimate interest to ensure our website and Pensions Portal is operating effectively
|
Voice recordings of calls made to or from the Pension Scheme |
- For training and quality purposes, in order to improve the services we provide to you.
|
-
Performance of a contract
-
Legitimate interests to run an effective business
|
15.2 Who Do We Share Your Personal Data With
The categories of recipients |
Who do we share your personal data with |
Categories of recipients
|
- Our affiliate companies, BT Pension Scheme Management Limited and BT Pension Scheme Administration Limited, to manage and administer the Scheme and your pension.
- BT plc as the sponsoring employer and members of its group of companies - please refer to the BT Employee Privacy Notice for information on how BT uses the personal data of its current and former employees.
- Cloud and other data storage providers, to store the personal data you provide and for disaster recovery services, as well as for the performance of any contract we enter into with you.
- IT Services providers, including but not limited to, Procentia and OneAdvanced – IT Services, located in the UK for fund administration.
- 8x8 Inc. A provider of Voice over IP products including cloud-based voice, contact centre, and unified communications for businesses., and their sub-processors, who are located in US, UK, Romania, Australia, Singapore, Portugal.
- External printing and office support providers, such as postal and scanning services, including but not limited to Pearlscan and Paragon Limited.
- Payment providers Convera UK Financial Limited (Formerly Western Union), Equiniti, AccessPay, Advance, Bottomline, Royal Bank of Scotland, including banks, located in the UK and, if you are not resident in the UK and are in receipt of a pension, the country of your residence.
- Insurance companies and their affiliates with member data being retained within EEA.
- External providers of additional voluntary contribution funds only if you have chosen to make such contributions.
- Annuity provider, Hargreaves Lansdowne, to provide annuity quotes for members who hold residual additional voluntary contributions.
- The BT Benevolent Fund (the “Fund”), to inform you of its activities by post, to provide you with the opportunity to contribute to the Fund and to provide you with the opportunity to request financial assistance if you are eligible.
- UK trade unions you are a member of, such as the Communication Workers Union (CWU), only if you have chosen to make contributions to a trade union from your pension receipts.
- Other voluntary deduction societies, only if you have chosen to make such deductions directly from your pension receipts.
- Legal and other professional advisers located in UK / EEA, to provide us with legal and other professional services (who in certain circumstances will also be ‘data controllers’).
- Actuarial (Willis Towers Watson and the Scheme Actuary), administration and consultancy services providers located in UK / EEA (who in certain circumstances will also be ‘data controllers’) – please refer to www.willistowerswatson.com/personal-data for information on how Willis Towers Watson uses personal data when it provides actuarial services to UK pension scheme trustees.
- Existence check providers including but not limited to Equifax and Lexis Nexis located in UK / EEA.
- The Pensions Advisory Service and the Pensions Ombudsman, to deal with complaints and resolve disputes.
- HMRC to account for payments made to you and other government agencies when requested for example but not limited to court production orders, fraud investigations.
- HUB Pension Consulting Limited and WPS Advisory Limited if you have given us authority to share data to enable them to provide you with financial advice. Please refer to www.hubpensionconsulting.co.uk/privacy-policy and www.wpsadvisory.com/privacy-policy for information on how HUB and WPS use the personal data we send them.
- Riskonnect Inc. and associated organisations for risk management and associated reporting.
- For member communications, satisfaction surveys and member feedback we share data with Sabio, Concert, Mailjet, Survey Monkey, GetFeedback, Intrado and Google Analytics.
- Club Vita, for the purpose of lifespan and longevity analytics.
- PICA (The Prudential Insurance Company of America) Hedge management of funds.
- Onfido for the Identification and Verification stages of the Online Retirements journey.
- Independent audit bodies including KPMG, BDO and BSI for the purpose of financial and organisational reporting, and maintenance of certifications and standards.
- Member or beneficiary tracing may be carried out by providers including but not limited to Kent Financial Services.
|
We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to |
Categories of recipients |
- Comply with a legal obligation, process or request.
- Enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;li>
- Detect, prevent, investigate or otherwise address security, fraud or technical issues; or
- Protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).
|
We will also disclose your information to third parties |
Categories of recipients |
- If we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
- If we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.
|
15.3 Your Right to Erasure
Right to Erasure |
You may request that we erase the personal data we hold about you in the following circumstances |
Right to Erasure |
- You believe that it is no longer necessary for us to hold the personal data we hold about you.
- We are processing the personal data we hold about you based on your consent (please contact us via our contact details above, and you wish to withdraw your consent and there is no other ground under which we can process the personal data.
- We are processing the personal data we hold about you based on our legitimate interest (please contact us via our contact details above), and you object to such processing. Please provide us with details as to your reasoning via our contact details above so that we can assess whether there is an overriding interest for us to retain such personal data; or
- You believe the personal data we hold about you is being unlawfully processed by us.
Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.
Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for us to erase your personal data. Please note, however, that we may retain the personal data if there are valid grounds under law for us to do so (e.g., for the defence of legal claims or freedom of expression) but we will let you know if that is the case.
Where you have requested that we erase your personal data that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the data or providing links to the data to erase the personal data too.
|
15.4 Restriction of Processing to Storage Only
Restriction of Processing to Storage Only
|
You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or to protect the rights and freedom of another person).
You may request we stop processing and just store the personal data we hold about you if
- You believe the personal data is not accurate for the period it takes for us to verify your claim.
- We wish to erase the personal data as the processing we are doing is unlawful but you want us to retain the personal data for storage but not further process it.
- We wish to erase the personal data as it is no longer necessary for our purposes but you require it to be stored for the establishment, exercise or defence of legal claims; or
- you have objected to us processing personal data we hold about you on the basis of our legitimate interest (please contact us via our contact details above), and you wish us to stop
processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.
You may object where:
- we are processing the data we hold about you based on our legitimate interest or public interest (please contact us via our contact details above about why you object to such processing). Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims. Also note that you may exercise your right to request that we stop processing the data whilst we make the assessment on an overriding interest by ticking the box for that purpose on the Data Subject Rights Form.
- we are processing the data based on historical/scientific research or statistics and you have a particular reason to object. Your right would not apply where we have been tasked with and it is necessary for us to undertake such processing in the public interest.
|
15.5 Transfer Mechanism
Transfer Mechanism
|
- Model Clauses: The personal data that we collect from you will be transferred to, stored at and/or processed by the relevant recipient under a written agreement incorporating the EU Commission’s model clauses for the transfer of personal data to third countries (the “Model Clauses”), pursuant to Decision 2010/87/EU. A copy of these Model Clauses is available upon request.
- Please see section 14 “Contact” of this Privacy Notice on how to request a copy.
|